A few small dhcpc_t updates; one to support pump, another to support IPv6 NDP
clients.
Sven Vermeulen (2):
Update for pump DHCP client
Support IPv6 Neighbor Discovery Protocol for dhcpcd
policy/modules/system/sysnetwork.te | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--
1.8.1.5
When invoking the pump DHCP client, the client immediately aborts. No errors are
shown, but the process isn't running and the returncode is 1.
The denials reveal that pump wants to create a socket in /var/run (called
pump.sock). After granting dhcpc_t the rights to manage dhcpc_var_run_t
sock_file's and introduce a files_pid_filetrans for sock_file, pump gives the
next failure:
~# pump -i eth0
failed to connect to localhost:bootpc: Connection refused
>From the denials, we get that pump requires "accept" on its own
unix_stream_socket, which iteratively expands to "accept listen connectto". Once
assigned, pump seems to work again.
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/system/sysnetwork.te | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 11247e2..49c5dfe 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -54,6 +54,7 @@ allow dhcpc_t self:tcp_socket create_stream_socket_perms;
allow dhcpc_t self:udp_socket create_socket_perms;
allow dhcpc_t self:packet_socket create_socket_perms;
allow dhcpc_t self:netlink_route_socket { create_socket_perms nlmsg_read nlmsg_write };
+allow dhcpc_t self:unix_stream_socket { accept listen connectto };
allow dhcpc_t dhcp_etc_t:dir list_dir_perms;
read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
@@ -64,9 +65,10 @@ manage_files_pattern(dhcpc_t, dhcpc_state_t, dhcpc_state_t)
filetrans_pattern(dhcpc_t, dhcp_state_t, dhcpc_state_t, file)
# create pid file
+allow dhcpc_t dhcpc_var_run_t:sock_file manage_sock_file_perms;
manage_files_pattern(dhcpc_t, dhcpc_var_run_t, dhcpc_var_run_t)
create_dirs_pattern(dhcpc_t, dhcpc_var_run_t, dhcpc_var_run_t)
-files_pid_filetrans(dhcpc_t, dhcpc_var_run_t, { file dir })
+files_pid_filetrans(dhcpc_t, dhcpc_var_run_t, { file dir sock_file })
# Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files
# in /etc created by dhcpcd will be labelled net_conf_t.
--
1.8.1.5
The dhcpcd client supports IPv6 NDP, but when trying to use it the request fails
with:
ipv6rs: Permission denied
In the audit log, a denial is shown about dhcpc_t wanting to create a
rawip_socket. After allowing this, the client succeeds.
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/system/sysnetwork.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 49c5dfe..e0e1556 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -53,6 +53,7 @@ allow dhcpc_t self:fifo_file rw_fifo_file_perms;
allow dhcpc_t self:tcp_socket create_stream_socket_perms;
allow dhcpc_t self:udp_socket create_socket_perms;
allow dhcpc_t self:packet_socket create_socket_perms;
+allow dhcpc_t self:rawip_socket create_socket_perms;
allow dhcpc_t self:netlink_route_socket { create_socket_perms nlmsg_read nlmsg_write };
allow dhcpc_t self:unix_stream_socket { accept listen connectto };
--
1.8.1.5
On 05/07/13 14:37, Sven Vermeulen wrote:
> The dhcpcd client supports IPv6 NDP, but when trying to use it the request fails
> with:
>
> ipv6rs: Permission denied
>
> In the audit log, a denial is shown about dhcpc_t wanting to create a
> rawip_socket. After allowing this, the client succeeds.
Thats odd; I don't see this on my IPv6 system. Which version of dhcpcd is this seen on? I'm using 5.6.8.
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> policy/modules/system/sysnetwork.te | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
> index 49c5dfe..e0e1556 100644
> --- a/policy/modules/system/sysnetwork.te
> +++ b/policy/modules/system/sysnetwork.te
> @@ -53,6 +53,7 @@ allow dhcpc_t self:fifo_file rw_fifo_file_perms;
> allow dhcpc_t self:tcp_socket create_stream_socket_perms;
> allow dhcpc_t self:udp_socket create_socket_perms;
> allow dhcpc_t self:packet_socket create_socket_perms;
> +allow dhcpc_t self:rawip_socket create_socket_perms;
> allow dhcpc_t self:netlink_route_socket { create_socket_perms nlmsg_read nlmsg_write };
> allow dhcpc_t self:unix_stream_socket { accept listen connectto };
>
>
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 05/07/13 14:37, Sven Vermeulen wrote:
> When invoking the pump DHCP client, the client immediately aborts. No errors are
> shown, but the process isn't running and the returncode is 1.
>
> The denials reveal that pump wants to create a socket in /var/run (called
> pump.sock). After granting dhcpc_t the rights to manage dhcpc_var_run_t
> sock_file's and introduce a files_pid_filetrans for sock_file, pump gives the
> next failure:
>
> ~# pump -i eth0
> failed to connect to localhost:bootpc: Connection refused
>
>>From the denials, we get that pump requires "accept" on its own
> unix_stream_socket, which iteratively expands to "accept listen connectto". Once
> assigned, pump seems to work again.
>
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> policy/modules/system/sysnetwork.te | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
> index 11247e2..49c5dfe 100644
> --- a/policy/modules/system/sysnetwork.te
> +++ b/policy/modules/system/sysnetwork.te
> @@ -54,6 +54,7 @@ allow dhcpc_t self:tcp_socket create_stream_socket_perms;
> allow dhcpc_t self:udp_socket create_socket_perms;
> allow dhcpc_t self:packet_socket create_socket_perms;
> allow dhcpc_t self:netlink_route_socket { create_socket_perms nlmsg_read nlmsg_write };
> +allow dhcpc_t self:unix_stream_socket { accept listen connectto };
One minor nit. This should be expanded out to create_stream_socket_perms. It gets the other perms from that set from logging_send_syslog_msg(). If these perms were ever dropped (admittedly unlikely), we'd still need them here.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On Thu, May 09, 2013 at 09:12:03AM -0400, Christopher J. PeBenito wrote:
> On 05/07/13 14:37, Sven Vermeulen wrote:
> > The dhcpcd client supports IPv6 NDP, but when trying to use it the request fails
> > with:
> >
> > ipv6rs: Permission denied
> >
> > In the audit log, a denial is shown about dhcpc_t wanting to create a
> > rawip_socket. After allowing this, the client succeeds.
>
> Thats odd; I don't see this on my IPv6 system. Which version of dhcpcd is this seen on? I'm using 5.6.8.
I'm using dhcpcd-5.6.4 currently; I use the "-t 5 -L --ipv6ra_own"
options.
I tried it again (disabled the rule):
* Bringing up interface eth0
* dhcp ...
* Running dhcpcd ...
dhcpcd[19528]: version 5.6.4 starting
dhcpcd[19528]: all: disabling Kernel IPv6 RA support
dhcpcd[19528]: ipv6rs: Permission denied
dhcpcd[19528]: ipv6nd: Permission denied
dhcpcd[19528]: eth0: broadcasting for a lease
dhcpcd[19528]: timed out
dhcpcd[19528]: all: restoring Kernel IPv6 RA support
* ERROR: net.eth0 failed to start
I'll update to 5.6.8 soon and see if it persists.
Wkr,
Sven Vermeulen
On 05/09/13 12:12, Sven Vermeulen wrote:
> On Thu, May 09, 2013 at 09:12:03AM -0400, Christopher J. PeBenito wrote:
>> On 05/07/13 14:37, Sven Vermeulen wrote:
>>> The dhcpcd client supports IPv6 NDP, but when trying to use it the request fails
>>> with:
>>>
>>> ipv6rs: Permission denied
>>>
>>> In the audit log, a denial is shown about dhcpc_t wanting to create a
>>> rawip_socket. After allowing this, the client succeeds.
>>
>> Thats odd; I don't see this on my IPv6 system. Which version of dhcpcd is this seen on? I'm using 5.6.8.
>
> I'm using dhcpcd-5.6.4 currently; I use the "-t 5 -L --ipv6ra_own"
> options.
Oh, I'm not using the --ipv6ra_own option. Maybe thats why I'm not seeing it.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com