Ifconfig should be able to read firmware files (i.e. some network cards need
to load their firmware) and it should also be able to load kernel modules.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/system/sysnetwork.te | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- refpolicy-git-06082016-orig/policy/modules/system/sysnetwork.te 2016-08-06 21:26:43.309774442 +0200
+++ refpolicy-git-06082016/policy/modules/system/sysnetwork.te 2016-08-08 18:29:45.342636241 +0200
@@ -261,7 +261,7 @@ optional_policy(`
# Ifconfig local policy
#
-allow ifconfig_t self:capability { net_raw net_admin sys_admin sys_tty_config };
+allow ifconfig_t self:capability { net_raw net_admin sys_admin sys_module sys_tty_config };
allow ifconfig_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
allow ifconfig_t self:fd use;
allow ifconfig_t self:fifo_file rw_fifo_file_perms;
@@ -305,6 +305,8 @@ domain_use_interactive_fds(ifconfig_t)
files_read_etc_files(ifconfig_t)
files_read_etc_runtime_files(ifconfig_t)
+files_read_firmware_files(ifconfig_t)
+
fs_getattr_xattr_fs(ifconfig_t)
fs_search_auto_mountpoints(ifconfig_t)
On 08/08/2016 07:11 PM, Guido Trentalancia wrote:
> Ifconfig should be able to read firmware files (i.e. some network cards need
> to load their firmware) and it should also be able to load kernel modules.
>
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/system/sysnetwork.te | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> --- refpolicy-git-06082016-orig/policy/modules/system/sysnetwork.te 2016-08-06 21:26:43.309774442 +0200
> +++ refpolicy-git-06082016/policy/modules/system/sysnetwork.te 2016-08-08 18:29:45.342636241 +0200
> @@ -261,7 +261,7 @@ optional_policy(`
> # Ifconfig local policy
> #
>
> -allow ifconfig_t self:capability { net_raw net_admin sys_admin sys_tty_config };
> +allow ifconfig_t self:capability { net_raw net_admin sys_admin sys_module sys_tty_config };
neverallow ~can_load_kernmodule self:capability sys_module;
> allow ifconfig_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
> allow ifconfig_t self:fd use;
> allow ifconfig_t self:fifo_file rw_fifo_file_perms;
> @@ -305,6 +305,8 @@ domain_use_interactive_fds(ifconfig_t)
> files_read_etc_files(ifconfig_t)
> files_read_etc_runtime_files(ifconfig_t)
>
> +files_read_firmware_files(ifconfig_t)
> +
> fs_getattr_xattr_fs(ifconfig_t)
> fs_search_auto_mountpoints(ifconfig_t)
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160808/74e0bdd8/attachment.bin
Hello Dominick.
On Mon, 08/08/2016 at 19.18 +0200, Dominick Grift wrote:
> On 08/08/2016 07:11 PM, Guido Trentalancia wrote:
> > Ifconfig should be able to read firmware files (i.e. some network
> > cards need
> > to load their firmware) and it should also be able to load kernel
> > modules.
> >
> > Signed-off-by: Guido Trentalancia <[email protected]>
> > ---
> > ?policy/modules/system/sysnetwork.te |????4 +++-
> > ?1 file changed, 3 insertions(+), 1 deletion(-)
> >
> > --- refpolicy-git-06082016-orig/policy/modules/system/sysnetwork.te
> > 2016-08-06 21:26:43.309774442 +0200
> > +++ refpolicy-git-06082016/policy/modules/system/sysnetwork.te
> > 2016-08-08 18:29:45.342636241 +0200
> > @@ -261,7 +261,7 @@ optional_policy(`
> > ?# Ifconfig local policy
> > ?#
> > ?
> > -allow ifconfig_t self:capability { net_raw net_admin sys_admin
> > sys_tty_config };
> > +allow ifconfig_t self:capability { net_raw net_admin sys_admin
> > sys_module sys_tty_config };
>
> neverallow ~can_load_kernmodule self:capability sys_module;
Apparently, even using the kernel_load_module() interface, it does not
let ifconfig load the modules it needs...
Guido
Ifconfig should be able to read firmware files (i.e. some network cards need
to load their firmware) and it should also be able to load kernel modules.
Do audit kernel module loading for both ifconfig_t and dhcpc_t.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/system/sysnetwork.te | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- refpolicy-git-06082016-orig/policy/modules/system/sysnetwork.te 2016-08-06 21:26:43.309774442 +0200
+++ refpolicy-git-06082016/policy/modules/system/sysnetwork.te 2016-08-08 21:04:58.087763274 +0200
@@ -50,7 +50,7 @@ ifdef(`distro_debian',`
allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service setpcap sys_nice sys_resource sys_tty_config };
dontaudit dhcpc_t self:capability { sys_tty_config sys_ptrace };
# for access("/etc/bashrc", X_OK) on Red Hat
-dontaudit dhcpc_t self:capability { dac_read_search sys_module };
+dontaudit dhcpc_t self:capability { dac_read_search };
allow dhcpc_t self:process { getsched getcap setcap setfscreate ptrace signal_perms };
allow dhcpc_t self:fifo_file rw_fifo_file_perms;
@@ -84,6 +84,7 @@ files_tmp_filetrans(dhcpc_t, dhcpc_tmp_t
can_exec(dhcpc_t, dhcpc_exec_t)
+kernel_load_module(dhcpc_t)
kernel_read_system_state(dhcpc_t)
kernel_read_network_state(dhcpc_t)
kernel_search_network_sysctl(dhcpc_t)
@@ -287,6 +288,7 @@ allow ifconfig_t self:netlink_route_sock
allow ifconfig_t self:netlink_xfrm_socket create_netlink_socket_perms;
allow ifconfig_t self:tcp_socket { create ioctl };
+kernel_load_module(ifconfig_t)
kernel_use_fds(ifconfig_t)
kernel_read_system_state(ifconfig_t)
kernel_read_network_state(ifconfig_t)
@@ -305,6 +307,8 @@ domain_use_interactive_fds(ifconfig_t)
files_read_etc_files(ifconfig_t)
files_read_etc_runtime_files(ifconfig_t)
+files_read_firmware_files(ifconfig_t)
+
fs_getattr_xattr_fs(ifconfig_t)
fs_search_auto_mountpoints(ifconfig_t)
Ifconfig should be able to read firmware files in /lib (i.e. some network
cards need to load their firmware) and it should also be able to load
kernel modules (e.g. when called by dhclient to bring up an interface
which requires kernel module loading).
Do audit kernel module loading for both ifconfig_t and dhcpc_t.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/system/sysnetwork.te | 3 +++
1 file changed, 3 insertions(+)
--- refpolicy-git-06082016-orig/policy/modules/system/sysnetwork.te 2016-08-06
21:26:43.309774442 +0200
+++ refpolicy-git-06082016/policy/modules/system/sysnetwork.te 2016-08-13
23:38:42.816761522 +0200
@@ -287,6 +295,7 @@ allow ifconfig_t self:netlink_route_sock
allow ifconfig_t self:netlink_xfrm_socket create_netlink_socket_perms;
allow ifconfig_t self:tcp_socket { create ioctl };
+kernel_load_module(ifconfig_t)
kernel_use_fds(ifconfig_t)
kernel_read_system_state(ifconfig_t)
kernel_read_network_state(ifconfig_t)
@@ -308,6 +317,8 @@ files_read_etc_runtime_files(ifconfig_t)
fs_getattr_xattr_fs(ifconfig_t)
fs_search_auto_mountpoints(ifconfig_t)
+libs_read_lib_files(ifconfig_t)
+
selinux_dontaudit_getattr_fs(ifconfig_t)
term_dontaudit_use_console(ifconfig_t)
Ifconfig should be able to read firmware files in /lib (i.e. some network
cards need to load their firmware) and it should not audit attempts
to load kernel modules directly.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/system/sysnetwork.te | 3 +++
1 file changed, 3 insertions(+)
--- refpolicy-git-06082016-orig/policy/modules/system/sysnetwork.te 2016-08-06 21:26:43.309774442 +0200
+++ refpolicy-git-06082016/policy/modules/system/sysnetwork.te 2016-08-14 20:17:19.170766644 +0200
@@ -262,6 +269,7 @@ optional_policy(`
#
allow ifconfig_t self:capability { net_raw net_admin sys_admin sys_tty_config };
+dontaudit ifconfig_t self:capability sys_module;
allow ifconfig_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
allow ifconfig_t self:fd use;
allow ifconfig_t self:fifo_file rw_fifo_file_perms;
@@ -308,6 +316,8 @@ files_read_etc_runtime_files(ifconfig_t)
fs_getattr_xattr_fs(ifconfig_t)
fs_search_auto_mountpoints(ifconfig_t)
+libs_read_lib_files(ifconfig_t)
+
selinux_dontaudit_getattr_fs(ifconfig_t)
term_dontaudit_use_console(ifconfig_t)
On 08/14/16 14:29, Guido Trentalancia wrote:
> Ifconfig should be able to read firmware files in /lib (i.e. some network
> cards need to load their firmware) and it should not audit attempts
> to load kernel modules directly.
>
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/system/sysnetwork.te | 3 +++
> 1 file changed, 3 insertions(+)
>
> --- refpolicy-git-06082016-orig/policy/modules/system/sysnetwork.te 2016-08-06 21:26:43.309774442 +0200
> +++ refpolicy-git-06082016/policy/modules/system/sysnetwork.te 2016-08-14 20:17:19.170766644 +0200
> @@ -262,6 +269,7 @@ optional_policy(`
> #
>
> allow ifconfig_t self:capability { net_raw net_admin sys_admin sys_tty_config };
> +dontaudit ifconfig_t self:capability sys_module;
> allow ifconfig_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
> allow ifconfig_t self:fd use;
> allow ifconfig_t self:fifo_file rw_fifo_file_perms;
> @@ -308,6 +316,8 @@ files_read_etc_runtime_files(ifconfig_t)
> fs_getattr_xattr_fs(ifconfig_t)
> fs_search_auto_mountpoints(ifconfig_t)
>
> +libs_read_lib_files(ifconfig_t)
> +
> selinux_dontaudit_getattr_fs(ifconfig_t)
>
> term_dontaudit_use_console(ifconfig_t)
Merged.
--
Chris PeBenito