From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Thu, 9 May 2013 09:17:57 -0400
Subject: [refpolicy] [PATCH 1/2] Update for pump DHCP client
In-Reply-To: <1367951826-21257-2-git-send-email-sven.vermeulen@siphos.be>
References: <1367951826-21257-1-git-send-email-sven.vermeulen@siphos.be>
	<1367951826-21257-2-git-send-email-sven.vermeulen@siphos.be>
Message-ID: <518BA205.2040106@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 05/07/13 14:37, Sven Vermeulen wrote:
> When invoking the pump DHCP client, the client immediately aborts. No errors are
> shown, but the process isn't running and the returncode is 1.
> 
> The denials reveal that pump wants to create a socket in /var/run (called
> pump.sock). After granting dhcpc_t the rights to manage dhcpc_var_run_t
> sock_file's and introduce a files_pid_filetrans for sock_file, pump gives the
> next failure:
> 
> ~# pump -i eth0
> failed to connect to localhost:bootpc: Connection refused
> 
>>From the denials, we get that pump requires "accept" on its own
> unix_stream_socket, which iteratively expands to "accept listen connectto". Once
> assigned, pump seems to work again.
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  policy/modules/system/sysnetwork.te | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
> index 11247e2..49c5dfe 100644
> --- a/policy/modules/system/sysnetwork.te
> +++ b/policy/modules/system/sysnetwork.te
> @@ -54,6 +54,7 @@ allow dhcpc_t self:tcp_socket create_stream_socket_perms;
>  allow dhcpc_t self:udp_socket create_socket_perms;
>  allow dhcpc_t self:packet_socket create_socket_perms;
>  allow dhcpc_t self:netlink_route_socket { create_socket_perms nlmsg_read nlmsg_write };
> +allow dhcpc_t self:unix_stream_socket { accept listen connectto };

One minor nit.  This should be expanded out to create_stream_socket_perms.  It gets the other perms from that set from logging_send_syslog_msg().  If these perms were ever dropped (admittedly unlikely), we'd still need them here.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com