From: russell@coker.com.au (Russell Coker) Date: Wed, 14 Feb 2018 00:17:04 +1100 Subject: [refpolicy] rawip_socket permissions Message-ID: <3088676.kIsrdd9GrL@xev> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com I was working on NetworkManager policy and needed to write policy for rawip_socket access. As there wasn't a macro specifying the permissions needed I decided to grep the existing policy to see what others have done, this shows the need for such a macro: admin/netutils.te:allow traceroute_t self:rawip_socket create_socket_perms; admin/netutils.te:allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt getattr }; Two different uses in the one file. I hope I didn't write that. contrib/automount.te:allow automount_t self:rawip_socket create_socket_perms; contrib/collectd.te:allow collectd_t self:rawip_socket create_socket_perms; contrib/cups.te:allow hplip_t self:rawip_socket create_socket_perms; contrib/iodine.te:allow iodined_t self:rawip_socket create_socket_perms; contrib/l2tp.te:allow l2tpd_t self:rawip_socket create_socket_perms; contrib/nessus.te:allow nessusd_t self:rawip_socket create_socket_perms; contrib/openvswitch.te:allow openvswitch_t self:rawip_socket create_socket_perms; contrib/ppp.te:allow pptp_t self:rawip_socket create_socket_perms; contrib/psad.te:allow psad_t self:rawip_socket create_socket_perms; contrib/radvd.te:allow radvd_t self:rawip_socket create_socket_perms; contrib/rdisc.te:allow rdisc_t self:rawip_socket create_socket_perms; contrib/vmware.te:allow vmware_host_t self:rawip_socket create_socket_perms; contrib/vpn.te:allow vpnc_t self:rawip_socket create_socket_perms; contrib/watchdog.te:allow watchdog_t self:rawip_socket create_socket_perms; contrib/zebra.te:allow zebra_t self:rawip_socket create_socket_perms; contrib/pingd.te:allow pingd_t self:rawip_socket create_socket_perms; contrib/dhcp.te:allow dhcpd_t self:rawip_socket create_socket_perms; contrib/dnsmasq.te:allow dnsmasq_t self:rawip_socket create_socket_perms; contrib/virt.te:allow virtd_t self:rawip_socket create_socket_perms; contrib/virt.te:allow svirt_lxc_net_t self:rawip_socket create_socket_perms; system/udev.te:allow udev_t self:rawip_socket create_socket_perms; system/modutils.te:allow kmod_t self:rawip_socket create_socket_perms; system/systemd.te:allow systemd_networkd_t self:rawip_socket create_socket_perms; system/iptables.te:allow iptables_t self:rawip_socket create_socket_perms; system/sysnetwork.te:allow dhcpc_t self:rawip_socket create_socket_perms; create_socket_perms is the obvious favourite, while the rawip_socket class inherits everything from socket, is there anything that actually does a bind or connect operation on rawip? I guess there's no harm having an allow rule for something that can't happen, but it's confusing if nothing else. contrib/monit.te:allow monit_t self:rawip_socket connected_socket_perms; contrib/squid.te: allow squid_t self:rawip_socket connected_socket_perms; The same for connected_socket_perms, it allows bind but not connect. contrib/telepathy.te:allow telepathy_sofiasip_t self:rawip_socket create_stream_socket_perms; create_stream_socket_perms has the obvious issue that rawip is not a stream, but also listen and accept aren't operations that are going to happen on rawip. contrib/portage.if: allow $1 self:rawip_socket { create ioctl }; I wonder what this is about. I guess it's possible that some code in portage creates a rawip socket but does nothing with it, but if so that would be a bug in the code. It could be that the code creates a rawip socket and then gets an error when it can't use it. define(`rawip_socket_perms', `{ create getopt setopt getattr read write }') Maybe we need something like the above in the policy. In a quick test I couldn't get any other access to be used. Why does hplip need rawip access? Is it for mDNS? I think we need a boolean for that, I don't want my print server reading all network traffic. Why does collectd need rawip access? Is it for multicast? This is a first analysis of the issue. After getting suggestions I'll write a patch, test it on a few different systems, and send it for discussion. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/