refpolicy commit 58b302957652322288618ceda0771d39e74a9e46
defined the new netlink socket security classes introduced by
kernel commit 223ae516404a7a65f09e79a1c0291521c233336e.
NetworkManager requires netlink_generic_socket access when
running on a kernel with this change. Add an allow rule for it,
while retaining the existing :netlink_socket rule for compatibility
on older kernels.
Signed-off-by: Stephen Smalley <[email protected]>
---
networkmanager.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/networkmanager.te b/networkmanager.te
index abd35ac..7dc7cb7 100644
--- a/networkmanager.te
+++ b/networkmanager.te
@@ -47,6 +47,7 @@ allow NetworkManager_t self:unix_dgram_socket sendto;
allow NetworkManager_t self:unix_stream_socket { accept listen };
allow NetworkManager_t self:netlink_route_socket create_netlink_socket_perms;
allow NetworkManager_t self:netlink_socket create_socket_perms;
+allow NetworkManager_t self:netlink_generic_socket create_socket_perms;
allow NetworkManager_t self:netlink_kobject_uevent_socket create_socket_perms;
allow NetworkManager_t self:tcp_socket { accept listen };
allow NetworkManager_t self:tun_socket { create_socket_perms relabelfrom relabelto };
--
2.1.0
On Fri, May 22, 2015 at 08:49:50AM -0400, Stephen Smalley wrote:
> refpolicy commit 58b302957652322288618ceda0771d39e74a9e46
> defined the new netlink socket security classes introduced by
> kernel commit 223ae516404a7a65f09e79a1c0291521c233336e.
> NetworkManager requires netlink_generic_socket access when
> running on a kernel with this change. Add an allow rule for it,
> while retaining the existing :netlink_socket rule for compatibility
> on older kernels.
>
> Signed-off-by: Stephen Smalley <[email protected]>
Thanks
> ---
> networkmanager.te | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/networkmanager.te b/networkmanager.te
> index abd35ac..7dc7cb7 100644
> --- a/networkmanager.te
> +++ b/networkmanager.te
> @@ -47,6 +47,7 @@ allow NetworkManager_t self:unix_dgram_socket sendto;
> allow NetworkManager_t self:unix_stream_socket { accept listen };
> allow NetworkManager_t self:netlink_route_socket create_netlink_socket_perms;
> allow NetworkManager_t self:netlink_socket create_socket_perms;
> +allow NetworkManager_t self:netlink_generic_socket create_socket_perms;
> allow NetworkManager_t self:netlink_kobject_uevent_socket create_socket_perms;
> allow NetworkManager_t self:tcp_socket { accept listen };
> allow NetworkManager_t self:tun_socket { create_socket_perms relabelfrom relabelto };
> --
> 2.1.0
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
02DFF788
4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788
http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 648 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20150522/01e1354d/attachment.bin