From: guido@trentalancia.net (Guido Trentalancia) Date: Mon, 08 Aug 2016 22:21:13 +0200 Subject: [refpolicy] [PATCH v2] Ifconfig should be able to read firmware files and load kernel modules In-Reply-To: <83b01d15-48f4-0d32-27de-9881c49e402b@gmail.com> References: <1470676296.2540.1.camel@trentalancia.net> <83b01d15-48f4-0d32-27de-9881c49e402b@gmail.com> Message-ID: <1470687673.2643.3.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Ifconfig should be able to read firmware files (i.e. some network cards need to load their firmware) and it should also be able to load kernel modules. Do audit kernel module loading for both ifconfig_t and dhcpc_t. Signed-off-by: Guido Trentalancia --- policy/modules/system/sysnetwork.te | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) --- refpolicy-git-06082016-orig/policy/modules/system/sysnetwork.te 2016-08-06 21:26:43.309774442 +0200 +++ refpolicy-git-06082016/policy/modules/system/sysnetwork.te 2016-08-08 21:04:58.087763274 +0200 @@ -50,7 +50,7 @@ ifdef(`distro_debian',` allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service setpcap sys_nice sys_resource sys_tty_config }; dontaudit dhcpc_t self:capability { sys_tty_config sys_ptrace }; # for access("/etc/bashrc", X_OK) on Red Hat -dontaudit dhcpc_t self:capability { dac_read_search sys_module }; +dontaudit dhcpc_t self:capability { dac_read_search }; allow dhcpc_t self:process { getsched getcap setcap setfscreate ptrace signal_perms }; allow dhcpc_t self:fifo_file rw_fifo_file_perms; @@ -84,6 +84,7 @@ files_tmp_filetrans(dhcpc_t, dhcpc_tmp_t can_exec(dhcpc_t, dhcpc_exec_t) +kernel_load_module(dhcpc_t) kernel_read_system_state(dhcpc_t) kernel_read_network_state(dhcpc_t) kernel_search_network_sysctl(dhcpc_t) @@ -287,6 +288,7 @@ allow ifconfig_t self:netlink_route_sock allow ifconfig_t self:netlink_xfrm_socket create_netlink_socket_perms; allow ifconfig_t self:tcp_socket { create ioctl }; +kernel_load_module(ifconfig_t) kernel_use_fds(ifconfig_t) kernel_read_system_state(ifconfig_t) kernel_read_network_state(ifconfig_t) @@ -305,6 +307,8 @@ domain_use_interactive_fds(ifconfig_t) files_read_etc_files(ifconfig_t) files_read_etc_runtime_files(ifconfig_t) +files_read_firmware_files(ifconfig_t) + fs_getattr_xattr_fs(ifconfig_t) fs_search_auto_mountpoints(ifconfig_t)