From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Wed, 24 Aug 2011 09:16:04 -0400 Subject: [refpolicy] [PATCH 1/1] Allow dhcp client to update kernel routing table plus context updates In-Reply-To: <20110823111831.GA5732@siphos.be> References: <20110823111831.GA5732@siphos.be> Message-ID: <4E54F994.6060506@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 08/23/11 07:18, Sven Vermeulen wrote: > This small patch updates the dhcpc_t (DHCP client domain) to allow updating the > kernel's routing tables (as that is a primary purpose of a DHCP client) as well > as interact with the kernel through the net_sysctls. > > Also, one client (dhcpcd) uses /var/run/dhcpcd so add that in the file context > definition as well. Merged. > Signed-off-by: Sven Vermeulen > --- > policy/modules/system/sysnetwork.fc | 1 + > policy/modules/system/sysnetwork.te | 3 ++- > 2 files changed, 3 insertions(+), 1 deletions(-) > > diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc > index 694fd94..f515dd5 100644 > --- a/policy/modules/system/sysnetwork.fc > +++ b/policy/modules/system/sysnetwork.fc > @@ -60,6 +60,7 @@ ifdef(`distro_redhat',` > /var/lib/wifiroamd(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0) > > /var/run/dhclient.* -- gen_context(system_u:object_r:dhcpc_var_run_t,s0) > +/var/run/dhcpcd(/.*)? gen_context(system_u:object_r:dhcpc_var_run_t,s0) > > ifdef(`distro_gentoo',` > /var/lib/dhcpc(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0) > diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te > index d716d35..889b2a2 100644 > --- a/policy/modules/system/sysnetwork.te > +++ b/policy/modules/system/sysnetwork.te > @@ -50,7 +50,7 @@ allow dhcpc_t self:fifo_file rw_fifo_file_perms; > allow dhcpc_t self:tcp_socket create_stream_socket_perms; > allow dhcpc_t self:udp_socket create_socket_perms; > allow dhcpc_t self:packet_socket create_socket_perms; > -allow dhcpc_t self:netlink_route_socket { create_socket_perms nlmsg_read }; > +allow dhcpc_t self:netlink_route_socket { create_socket_perms nlmsg_read nlmsg_write }; > > allow dhcpc_t dhcp_etc_t:dir list_dir_perms; > read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t) > @@ -85,6 +85,7 @@ kernel_search_network_sysctl(dhcpc_t) > kernel_read_kernel_sysctls(dhcpc_t) > kernel_request_load_module(dhcpc_t) > kernel_use_fds(dhcpc_t) > +kernel_rw_net_sysctls(dhcpc_t) > > corecmd_exec_bin(dhcpc_t) > corecmd_exec_shell(dhcpc_t) -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com