2011-09-09 19:46:26

by sven.vermeulen

Subject: [refpolicy] [PATCHv2 0/6] Wireshark application updates

This is a set of simple updates on the wireshark application.

- Support the use of user terminals
- Access /dev/random
- Remove duplicate corecmd_search_bin
- Allow wireshark to execute bin_t
- Let dumpcap dump its packets
- Grant access to sysfs

Changes since v1
================

- Use userdom_use_user_ptys instead of _terminals
- Generate patch from within contrib submodule

Wkr,
Sven Vermeulen

2011-09-09 19:47:24

by sven.vermeulen

Subject: [refpolicy] [PATCHv2 1/6] Allow using user terminals

In order to debug wireshark startup issues, it is important that
wireshark, when started from a command line, is allowed to output its
error messages.

Signed-off-by: Sven Vermeulen <[email protected]>
---
wireshark.te | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/wireshark.te b/wireshark.te
index 8bfe97d..5ea50f5 100644
--- a/wireshark.te
+++ b/wireshark.te
@@ -93,6 +93,7 @@ seutil_use_newrole_fds(wireshark_t)
sysnet_read_config(wireshark_t)

userdom_manage_user_home_content_files(wireshark_t)
+userdom_use_user_ptys(wireshark_t)

tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(wireshark_t)
--
1.7.3.4

2011-09-09 19:47:51

by sven.vermeulen

Subject: [refpolicy] [PATCHv2 2/6] Allow wireshark to use the random device

It already has the rights to use the urandom device, but access to the
random device is also needed.

Signed-off-by: Sven Vermeulen <[email protected]>
---
wireshark.te | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/wireshark.te b/wireshark.te
index 5ea50f5..94ab49a 100644
--- a/wireshark.te
+++ b/wireshark.te
@@ -75,6 +75,7 @@ corecmd_search_bin(wireshark_t)
corenet_tcp_connect_generic_port(wireshark_t)
corenet_tcp_sendrecv_generic_if(wireshark_t)

+dev_read_rand(wireshark_t)
dev_read_urand(wireshark_t)

files_read_etc_files(wireshark_t)
--
1.7.3.4

2011-09-09 19:48:16

by sven.vermeulen

Subject: [refpolicy] [PATCHv2 3/6] Remove duplicate corecmd_search_bin

Title sais it all, the module used "corecmd_search_bin" twice.

Signed-off-by: Sven Vermeulen <[email protected]>
---
wireshark.te | 1 -
1 files changed, 0 insertions(+), 1 deletions(-)

diff --git a/wireshark.te b/wireshark.te
index 94ab49a..db06f15 100644
--- a/wireshark.te
+++ b/wireshark.te
@@ -46,7 +46,6 @@ allow wireshark_t self:udp_socket create_socket_perms;

# Re-execute itself (why?)
can_exec(wireshark_t, wireshark_exec_t)
-corecmd_search_bin(wireshark_t)

# /home/.wireshark
manage_dirs_pattern(wireshark_t, wireshark_home_t, wireshark_home_t)
--
1.7.3.4

2011-09-09 19:48:46

by sven.vermeulen

Subject: [refpolicy] [PATCHv2 4/6] Allow wireshark to execute bin_t

Wireshark needs to be able to execute applications, definitely for its
plugin support, but also to call the dumpcap utility (part of the
wireshark distribution) to be able to dump the network traffic.

Signed-off-by: Sven Vermeulen <[email protected]>
---
wireshark.te | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/wireshark.te b/wireshark.te
index db06f15..2ec43c4 100644
--- a/wireshark.te
+++ b/wireshark.te
@@ -69,6 +69,7 @@ kernel_read_kernel_sysctls(wireshark_t)
kernel_read_system_state(wireshark_t)
kernel_read_sysctl(wireshark_t)

+corecmd_exec_bin(wireshark_t)
corecmd_search_bin(wireshark_t)

corenet_tcp_connect_generic_port(wireshark_t)
--
1.7.3.4

2011-09-09 19:49:16

by sven.vermeulen

Subject: [refpolicy] [PATCHv2 5/6] Dumpcap dumps the packets as packet_socket

The dumpcap utility (running in the wireshark_t domain) needs to be able
to write packet_sockets

Signed-off-by: Sven Vermeulen <[email protected]>
---
wireshark.te | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/wireshark.te b/wireshark.te
index 2ec43c4..7b325bc 100644
--- a/wireshark.te
+++ b/wireshark.te
@@ -40,7 +40,7 @@ allow wireshark_t self:fifo_file { getattr read write };
allow wireshark_t self:shm destroy;
allow wireshark_t self:shm create_shm_perms;
allow wireshark_t self:netlink_route_socket { nlmsg_read create_socket_perms };
-allow wireshark_t self:packet_socket { setopt bind ioctl getopt create read };
+allow wireshark_t self:packet_socket { setopt bind ioctl getopt create read write };
allow wireshark_t self:tcp_socket create_socket_perms;
allow wireshark_t self:udp_socket create_socket_perms;

--
1.7.3.4

2011-09-09 19:49:43

by sven.vermeulen

Subject: [refpolicy] [PATCH 6/6] Grant wireshark read access on sysfs

The wireshark utility reads information from the network devices listed
in the sysfs hierarchy.

Signed-off-by: Sven Vermeulen <[email protected]>
---
wireshark.te | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/wireshark.te b/wireshark.te
index 7b325bc..18e7924 100644
--- a/wireshark.te
+++ b/wireshark.te
@@ -76,6 +76,7 @@ corenet_tcp_connect_generic_port(wireshark_t)
corenet_tcp_sendrecv_generic_if(wireshark_t)

dev_read_rand(wireshark_t)
+dev_read_sysfs(wireshark_t)
dev_read_urand(wireshark_t)

files_read_etc_files(wireshark_t)
--
1.7.3.4

2011-09-14 13:02:29

by cpebenito

Subject: [refpolicy] [PATCHv2 0/6] Wireshark application updates

On 09/09/11 15:46, Sven Vermeulen wrote:
> This is a set of simple updates on the wireshark application.
>
> - Support the use of user terminals
> - Access /dev/random
> - Remove duplicate corecmd_search_bin
> - Allow wireshark to execute bin_t
> - Let dumpcap dump its packets
> - Grant access to sysfs
>
> Changes since v1
> ================
>
> - Use userdom_use_user_ptys instead of _terminals
> - Generate patch from within contrib submodule

Merged.

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com