From: guido@trentalancia.net (Guido Trentalancia)
Date: Sun, 14 Aug 2016 00:04:19 +0200 (CEST)
Subject: [refpolicy] [PATCH v3] Ifconfig should be able to read firmware
 files and load kernel modules
In-Reply-To: <1470687673.2643.3.camel@trentalancia.net>
References: <1470676296.2540.1.camel@trentalancia.net>
	<83b01d15-48f4-0d32-27de-9881c49e402b@gmail.com>
	<1470687673.2643.3.camel@trentalancia.net>
Message-ID: <1326307832.942736.1471125859717.JavaMail.open-xchange@popper02.register.it>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Ifconfig should be able to read firmware files in /lib (i.e. some network
cards need to load their firmware) and it should also be able to load
kernel modules (e.g. when called by dhclient to bring up an interface
which requires kernel module loading).

Do audit kernel module loading for both ifconfig_t and dhcpc_t.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
 policy/modules/system/sysnetwork.te |    3 +++
 1 file changed, 3 insertions(+)

--- refpolicy-git-06082016-orig/policy/modules/system/sysnetwork.te	2016-08-06
21:26:43.309774442 +0200
+++ refpolicy-git-06082016/policy/modules/system/sysnetwork.te	2016-08-13
23:38:42.816761522 +0200
@@ -287,6 +295,7 @@ allow ifconfig_t self:netlink_route_sock
 allow ifconfig_t self:netlink_xfrm_socket create_netlink_socket_perms;
 allow ifconfig_t self:tcp_socket { create ioctl };
 
+kernel_load_module(ifconfig_t)
 kernel_use_fds(ifconfig_t)
 kernel_read_system_state(ifconfig_t)
 kernel_read_network_state(ifconfig_t)
@@ -308,6 +317,8 @@ files_read_etc_runtime_files(ifconfig_t)
 fs_getattr_xattr_fs(ifconfig_t)
 fs_search_auto_mountpoints(ifconfig_t)
 
+libs_read_lib_files(ifconfig_t)
+
 selinux_dontaudit_getattr_fs(ifconfig_t)
 
 term_dontaudit_use_console(ifconfig_t)