2017-06-21 15:28:35

by Guido Trentalancia

[permalink] [raw]
Subject: [refpolicy] [PATCH] userdomain: allow netlink_kobject_uvent_socket creation

Not auditing this turns out to be the wrong choice for
several reasons.

For normal application functioning the user domain
should be able to create netlink_kobject_uvent_socket
sockets.

Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/system/userdomain.if | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

--- a/policy/modules/system/userdomain.if 2017-04-26 17:47:14.081423048 +0200
+++ b/policy/modules/system/userdomain.if 2017-06-21 17:12:39.854541009 +0200
@@ -530,8 +530,8 @@ template(`userdom_common_user_template',
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };

- # gnome-settings-daemon tries to create a netlink socket
- dontaudit $1_t self:netlink_kobject_uevent_socket create_socket_perms;
+ # gnome-settings-daemon and some applications create a netlink socket
+ allow $1_t self:netlink_kobject_uevent_socket create_socket_perms;

allow $1_t unpriv_userdomain:fd use;



2017-08-06 15:15:15

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH] userdomain: allow netlink_kobject_uvent_socket creation

On 06/21/2017 11:28 AM, Guido Trentalancia via refpolicy wrote:
> Not auditing this turns out to be the wrong choice for
> several reasons.
>
> For normal application functioning the user domain
> should be able to create netlink_kobject_uvent_socket
> sockets.
>
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/system/userdomain.if | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> --- a/policy/modules/system/userdomain.if 2017-04-26 17:47:14.081423048 +0200
> +++ b/policy/modules/system/userdomain.if 2017-06-21 17:12:39.854541009 +0200
> @@ -530,8 +530,8 @@ template(`userdom_common_user_template',
> dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
> dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
>
> - # gnome-settings-daemon tries to create a netlink socket
> - dontaudit $1_t self:netlink_kobject_uevent_socket create_socket_perms;
> + # gnome-settings-daemon and some applications create a netlink socket
> + allow $1_t self:netlink_kobject_uevent_socket create_socket_perms;
>
> allow $1_t unpriv_userdomain:fd use;

Merged.


--
Chris PeBenito