From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Thu, 23 Oct 2014 08:13:22 -0400
Subject: [refpolicy] [PATCH 2/3] Allow iw to create generic netlink
	sockets
In-Reply-To: <1413639022-27375-2-git-send-email-nicolas.iooss@m4x.org>
References: <1413639022-27375-1-git-send-email-nicolas.iooss@m4x.org>
	<1413639022-27375-2-git-send-email-nicolas.iooss@m4x.org>
Message-ID: <5448F0E2.3070405@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 10/18/2014 9:30 AM, Nicolas Iooss wrote:
> iw uses generic netlink socket to configure WiFi properties.  For
> example, "strace iw dev wlan0 set power_save on" outputs:
> 
>     socket(PF_NETLINK, SOCK_RAW|SOCK_CLOEXEC, NETLINK_GENERIC) = 3
>     setsockopt(3, SOL_SOCKET, SO_SNDBUF, [32768], 4) = 0
>     setsockopt(3, SOL_SOCKET, SO_RCVBUF, [32768], 4) = 0
>     bind(3, {sa_family=AF_NETLINK, pid=7836, groups=00000000}, 12) = 0
> 
> Some AVC denials are reported in audit.log:
> 
>     type=AVC msg=audit(1408829044.820:486): avc:  denied  { create } for
>     pid=5950 comm="iw" scontext=system_u:system_r:ifconfig_t
>     tcontext=system_u:system_r:ifconfig_t tclass=netlink_socket
>     permissive=1
>     type=AVC msg=audit(1408829044.820:487): avc:  denied  { setopt } for
>     pid=5950 comm="iw" scontext=system_u:system_r:ifconfig_t
>     tcontext=system_u:system_r:ifconfig_t tclass=netlink_socket
>     permissive=1
>     type=AVC msg=audit(1408829044.820:488): avc:  denied  { bind } for
>     pid=5950 comm="iw" scontext=system_u:system_r:ifconfig_t
>     tcontext=system_u:system_r:ifconfig_t tclass=netlink_socket
>     permissive=1
>     type=AVC msg=audit(1408829044.820:489): avc:  denied  { getattr }
>     for  pid=5950 comm="iw" scontext=system_u:system_r:ifconfig_t
>     tcontext=system_u:system_r:ifconfig_t tclass=netlink_socket
>     permissive=1
>     type=AVC msg=audit(1408829044.820:490): avc:  denied  { write } for
>     pid=5950 comm="iw" scontext=system_u:system_r:ifconfig_t
>     tcontext=system_u:system_r:ifconfig_t tclass=netlink_socket
>     permissive=1
> 
> Allowing ifconfig_t to create generic netlink sockets fixes this.

Merged.


> (On a side note, the AVC denials were caused by TLP, a tool which
> applies "laptop configuration" when switching between AC and battery
> with the help of a udev script)
> ---
>  policy/modules/system/sysnetwork.te | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
> index 0a3ea3d979b9..bcba404cd38e 100644
> --- a/policy/modules/system/sysnetwork.te
> +++ b/policy/modules/system/sysnetwork.te
> @@ -274,6 +274,7 @@ allow ifconfig_t self:msg { send receive };
>  allow ifconfig_t self:udp_socket create_socket_perms;
>  # for /sbin/ip
>  allow ifconfig_t self:packet_socket create_socket_perms;
> +allow ifconfig_t self:netlink_socket create_socket_perms;
>  allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
>  allow ifconfig_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_read };
>  allow ifconfig_t self:tcp_socket { create ioctl };
> 

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com