From: pebenito@ieee.org (Chris PeBenito)
Date: Sun, 14 Aug 2016 14:52:53 -0400
Subject: [refpolicy] [PATCH v4] Ifconfig should be able to read firmware
 files
In-Reply-To: <1471199345.27146.9.camel@trentalancia.net>
References: <1470676296.2540.1.camel@trentalancia.net>
	<83b01d15-48f4-0d32-27de-9881c49e402b@gmail.com>
	<1470687673.2643.3.camel@trentalancia.net>
	<1326307832.942736.1471125859717.JavaMail.open-xchange@popper02.register.it>
	<1471199345.27146.9.camel@trentalancia.net>
Message-ID: <bc5fa282-abf3-7878-4fef-7f18ef998300@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 08/14/16 14:29, Guido Trentalancia wrote:
> Ifconfig should be able to read firmware files in /lib (i.e. some network
> cards need to load their firmware) and it should not audit attempts
> to load kernel modules directly.
>
> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> ---
>  policy/modules/system/sysnetwork.te |    3 +++
>  1 file changed, 3 insertions(+)
>
> --- refpolicy-git-06082016-orig/policy/modules/system/sysnetwork.te	2016-08-06 21:26:43.309774442 +0200
> +++ refpolicy-git-06082016/policy/modules/system/sysnetwork.te	2016-08-14 20:17:19.170766644 +0200
> @@ -262,6 +269,7 @@ optional_policy(`
>  #
>
>  allow ifconfig_t self:capability { net_raw net_admin sys_admin sys_tty_config };
> +dontaudit ifconfig_t self:capability sys_module;
>  allow ifconfig_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
>  allow ifconfig_t self:fd use;
>  allow ifconfig_t self:fifo_file rw_fifo_file_perms;
> @@ -308,6 +316,8 @@ files_read_etc_runtime_files(ifconfig_t)
>  fs_getattr_xattr_fs(ifconfig_t)
>  fs_search_auto_mountpoints(ifconfig_t)
>
> +libs_read_lib_files(ifconfig_t)
> +
>  selinux_dontaudit_getattr_fs(ifconfig_t)
>
>  term_dontaudit_use_console(ifconfig_t)


Merged.

-- 
Chris PeBenito