From: pebenito@ieee.org (Chris PeBenito)
Date: Sun, 13 Aug 2017 19:53:18 -0400
Subject: [refpolicy] [PATCH 1/1] corecommands: label dhcpcd hook scripts
 bin_t
In-Reply-To: <20170812095101.10534-1-nicolas.iooss@m4x.org>
References: <20170812095101.10534-1-nicolas.iooss@m4x.org>
Message-ID: <f06d7d17-7527-4c2f-d702-3bc3b90a3d42@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 08/12/2017 05:51 AM, Nicolas Iooss via refpolicy wrote:
> dhcpcd executes scripts in /usr/lib/dhcpcd/:
>
>     avc:  denied  { execute_no_trans } for  pid=608 comm="dhcpcd"
>     path="/usr/lib/dhcpcd/dhcpcd-run-hooks" dev="vda1" ino=406981
>     scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:lib_t
>     tclass=file permissive=1
> ---
>  policy/modules/kernel/corecommands.fc | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
> index d30445437fc2..ce4218fed6dd 100644
> --- a/policy/modules/kernel/corecommands.fc
> +++ b/policy/modules/kernel/corecommands.fc
> @@ -165,6 +165,8 @@ ifdef(`distro_gentoo',`
>  /usr/lib/at-spi2-core(/.*)?		gen_context(system_u:object_r:bin_t,s0)
>  /usr/lib/avahi/avahi-daemon-check-dns\.sh	--	gen_context(system_u:object_r:bin_t,s0)
>  /usr/lib/ccache/bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
> +/usr/lib/dhcpcd/dhcpcd-hooks(/.*)?	gen_context(system_u:object_r:bin_t,s0)
> +/usr/lib/dhcpcd/dhcpcd-run-hooks --	gen_context(system_u:object_r:bin_t,s0)
>  /usr/lib/dovecot/.+			gen_context(system_u:object_r:bin_t,s0)
>  /usr/lib/fence(/.*)?			gen_context(system_u:object_r:bin_t,s0)
>  /usr/lib/pgsql/test/regress/.*\.sh --	gen_context(system_u:object_r:bin_t,s0)
> @@ -338,8 +340,6 @@ ifdef(`distro_gentoo', `
>  /usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)?	gen_context(system_u:object_r:bin_t,s0)
>  /usr/.*-.*-linux-gnu/binutils-bin(/.*)?	gen_context(system_u:object_r:bin_t,s0)
>
> -/usr/lib/dhcpcd/dhcpcd-run-hooks --	gen_context(system_u:object_r:bin_t,s0)
> -
>  /usr/lib/rcscripts/addons(/.*)?		gen_context(system_u:object_r:bin_t,s0)
>  /usr/lib/rcscripts/sh(/.*)?		gen_context(system_u:object_r:bin_t,s0)
>  /usr/lib/rcscripts/net\.modules\.d/helpers\.d/dhclient-.* -- gen_context(system_u:object_r:bin_t,s0)

Merged.

-- 
Chris PeBenito