From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Tue, 7 May 2013 20:37:05 +0200 Subject: [refpolicy] [PATCH 1/2] Update for pump DHCP client In-Reply-To: <1367951826-21257-1-git-send-email-sven.vermeulen@siphos.be> References: <1367951826-21257-1-git-send-email-sven.vermeulen@siphos.be> Message-ID: <1367951826-21257-2-git-send-email-sven.vermeulen@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com When invoking the pump DHCP client, the client immediately aborts. No errors are shown, but the process isn't running and the returncode is 1. The denials reveal that pump wants to create a socket in /var/run (called pump.sock). After granting dhcpc_t the rights to manage dhcpc_var_run_t sock_file's and introduce a files_pid_filetrans for sock_file, pump gives the next failure: ~# pump -i eth0 failed to connect to localhost:bootpc: Connection refused >From the denials, we get that pump requires "accept" on its own unix_stream_socket, which iteratively expands to "accept listen connectto". Once assigned, pump seems to work again. Signed-off-by: Sven Vermeulen --- policy/modules/system/sysnetwork.te | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te index 11247e2..49c5dfe 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -54,6 +54,7 @@ allow dhcpc_t self:tcp_socket create_stream_socket_perms; allow dhcpc_t self:udp_socket create_socket_perms; allow dhcpc_t self:packet_socket create_socket_perms; allow dhcpc_t self:netlink_route_socket { create_socket_perms nlmsg_read nlmsg_write }; +allow dhcpc_t self:unix_stream_socket { accept listen connectto }; allow dhcpc_t dhcp_etc_t:dir list_dir_perms; read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t) @@ -64,9 +65,10 @@ manage_files_pattern(dhcpc_t, dhcpc_state_t, dhcpc_state_t) filetrans_pattern(dhcpc_t, dhcp_state_t, dhcpc_state_t, file) # create pid file +allow dhcpc_t dhcpc_var_run_t:sock_file manage_sock_file_perms; manage_files_pattern(dhcpc_t, dhcpc_var_run_t, dhcpc_var_run_t) create_dirs_pattern(dhcpc_t, dhcpc_var_run_t, dhcpc_var_run_t) -files_pid_filetrans(dhcpc_t, dhcpc_var_run_t, { file dir }) +files_pid_filetrans(dhcpc_t, dhcpc_var_run_t, { file dir sock_file }) # Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files # in /etc created by dhcpcd will be labelled net_conf_t. -- 1.8.1.5