From: nicolas.iooss@m4x.org (Nicolas Iooss)
Date: Sat, 18 Oct 2014 15:30:21 +0200
Subject: [refpolicy] [PATCH 2/3] Allow iw to create generic netlink sockets
In-Reply-To: <1413639022-27375-1-git-send-email-nicolas.iooss@m4x.org>
References: <1413639022-27375-1-git-send-email-nicolas.iooss@m4x.org>
Message-ID: <1413639022-27375-2-git-send-email-nicolas.iooss@m4x.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

iw uses generic netlink socket to configure WiFi properties.  For
example, "strace iw dev wlan0 set power_save on" outputs:

    socket(PF_NETLINK, SOCK_RAW|SOCK_CLOEXEC, NETLINK_GENERIC) = 3
    setsockopt(3, SOL_SOCKET, SO_SNDBUF, [32768], 4) = 0
    setsockopt(3, SOL_SOCKET, SO_RCVBUF, [32768], 4) = 0
    bind(3, {sa_family=AF_NETLINK, pid=7836, groups=00000000}, 12) = 0

Some AVC denials are reported in audit.log:

    type=AVC msg=audit(1408829044.820:486): avc:  denied  { create } for
    pid=5950 comm="iw" scontext=system_u:system_r:ifconfig_t
    tcontext=system_u:system_r:ifconfig_t tclass=netlink_socket
    permissive=1
    type=AVC msg=audit(1408829044.820:487): avc:  denied  { setopt } for
    pid=5950 comm="iw" scontext=system_u:system_r:ifconfig_t
    tcontext=system_u:system_r:ifconfig_t tclass=netlink_socket
    permissive=1
    type=AVC msg=audit(1408829044.820:488): avc:  denied  { bind } for
    pid=5950 comm="iw" scontext=system_u:system_r:ifconfig_t
    tcontext=system_u:system_r:ifconfig_t tclass=netlink_socket
    permissive=1
    type=AVC msg=audit(1408829044.820:489): avc:  denied  { getattr }
    for  pid=5950 comm="iw" scontext=system_u:system_r:ifconfig_t
    tcontext=system_u:system_r:ifconfig_t tclass=netlink_socket
    permissive=1
    type=AVC msg=audit(1408829044.820:490): avc:  denied  { write } for
    pid=5950 comm="iw" scontext=system_u:system_r:ifconfig_t
    tcontext=system_u:system_r:ifconfig_t tclass=netlink_socket
    permissive=1

Allowing ifconfig_t to create generic netlink sockets fixes this.

(On a side note, the AVC denials were caused by TLP, a tool which
applies "laptop configuration" when switching between AC and battery
with the help of a udev script)
---
 policy/modules/system/sysnetwork.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 0a3ea3d979b9..bcba404cd38e 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -274,6 +274,7 @@ allow ifconfig_t self:msg { send receive };
 allow ifconfig_t self:udp_socket create_socket_perms;
 # for /sbin/ip
 allow ifconfig_t self:packet_socket create_socket_perms;
+allow ifconfig_t self:netlink_socket create_socket_perms;
 allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
 allow ifconfig_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_read };
 allow ifconfig_t self:tcp_socket { create ioctl };
-- 
2.1.2