This small patch updates the dhcpc_t (DHCP client domain) to allow updating the
kernel's routing tables (as that is a primary purpose of a DHCP client) as well
as interact with the kernel through the net_sysctls.
Also, one client (dhcpcd) uses /var/run/dhcpcd so add that in the file context
definition as well.
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/system/sysnetwork.fc | 1 +
policy/modules/system/sysnetwork.te | 3 ++-
2 files changed, 3 insertions(+), 1 deletions(-)
diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
index 694fd94..f515dd5 100644
--- a/policy/modules/system/sysnetwork.fc
+++ b/policy/modules/system/sysnetwork.fc
@@ -60,6 +60,7 @@ ifdef(`distro_redhat',`
/var/lib/wifiroamd(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
/var/run/dhclient.* -- gen_context(system_u:object_r:dhcpc_var_run_t,s0)
+/var/run/dhcpcd(/.*)? gen_context(system_u:object_r:dhcpc_var_run_t,s0)
ifdef(`distro_gentoo',`
/var/lib/dhcpc(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index d716d35..889b2a2 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -50,7 +50,7 @@ allow dhcpc_t self:fifo_file rw_fifo_file_perms;
allow dhcpc_t self:tcp_socket create_stream_socket_perms;
allow dhcpc_t self:udp_socket create_socket_perms;
allow dhcpc_t self:packet_socket create_socket_perms;
-allow dhcpc_t self:netlink_route_socket { create_socket_perms nlmsg_read };
+allow dhcpc_t self:netlink_route_socket { create_socket_perms nlmsg_read nlmsg_write };
allow dhcpc_t dhcp_etc_t:dir list_dir_perms;
read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
@@ -85,6 +85,7 @@ kernel_search_network_sysctl(dhcpc_t)
kernel_read_kernel_sysctls(dhcpc_t)
kernel_request_load_module(dhcpc_t)
kernel_use_fds(dhcpc_t)
+kernel_rw_net_sysctls(dhcpc_t)
corecmd_exec_bin(dhcpc_t)
corecmd_exec_shell(dhcpc_t)
--
1.7.3.4
On 08/23/11 07:18, Sven Vermeulen wrote:
> This small patch updates the dhcpc_t (DHCP client domain) to allow updating the
> kernel's routing tables (as that is a primary purpose of a DHCP client) as well
> as interact with the kernel through the net_sysctls.
>
> Also, one client (dhcpcd) uses /var/run/dhcpcd so add that in the file context
> definition as well.
Merged.
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> policy/modules/system/sysnetwork.fc | 1 +
> policy/modules/system/sysnetwork.te | 3 ++-
> 2 files changed, 3 insertions(+), 1 deletions(-)
>
> diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
> index 694fd94..f515dd5 100644
> --- a/policy/modules/system/sysnetwork.fc
> +++ b/policy/modules/system/sysnetwork.fc
> @@ -60,6 +60,7 @@ ifdef(`distro_redhat',`
> /var/lib/wifiroamd(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
>
> /var/run/dhclient.* -- gen_context(system_u:object_r:dhcpc_var_run_t,s0)
> +/var/run/dhcpcd(/.*)? gen_context(system_u:object_r:dhcpc_var_run_t,s0)
>
> ifdef(`distro_gentoo',`
> /var/lib/dhcpc(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
> diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
> index d716d35..889b2a2 100644
> --- a/policy/modules/system/sysnetwork.te
> +++ b/policy/modules/system/sysnetwork.te
> @@ -50,7 +50,7 @@ allow dhcpc_t self:fifo_file rw_fifo_file_perms;
> allow dhcpc_t self:tcp_socket create_stream_socket_perms;
> allow dhcpc_t self:udp_socket create_socket_perms;
> allow dhcpc_t self:packet_socket create_socket_perms;
> -allow dhcpc_t self:netlink_route_socket { create_socket_perms nlmsg_read };
> +allow dhcpc_t self:netlink_route_socket { create_socket_perms nlmsg_read nlmsg_write };
>
> allow dhcpc_t dhcp_etc_t:dir list_dir_perms;
> read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
> @@ -85,6 +85,7 @@ kernel_search_network_sysctl(dhcpc_t)
> kernel_read_kernel_sysctls(dhcpc_t)
> kernel_request_load_module(dhcpc_t)
> kernel_use_fds(dhcpc_t)
> +kernel_rw_net_sysctls(dhcpc_t)
>
> corecmd_exec_bin(dhcpc_t)
> corecmd_exec_shell(dhcpc_t)
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com