[refpolicy] [PATCH 0/6] Wireshark application updates

[refpolicy] [PATCH 0/6] Wireshark application updates

[Sven Vermeulen]

This is a set of simple updates on the wireshark application.

- Support the use of user terminals
- Access /dev/random
- Remove duplicate corecmd_search_bin
- Allow wireshark to execute bin_t
- Let dumpcap dump its packets
- Grant access to sysfs

Wkr,
	Sven Vermeulen

[refpolicy] [PATCH 1/6] Allow using user terminals

[Sven Vermeulen]

In order to debug wireshark startup issues, it is important that
wireshark, when started from a command line, is allowed to output its
error messages.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/apps/wireshark.te |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/policy/modules/apps/wireshark.te b/policy/modules/apps/wireshark.te
index 8bfe97d..0106846 100644
--- a/policy/modules/apps/wireshark.te
+++ b/policy/modules/apps/wireshark.te
@@ -93,6 +93,7 @@ seutil_use_newrole_fds(wireshark_t)
 sysnet_read_config(wireshark_t)
 
 userdom_manage_user_home_content_files(wireshark_t)
+userdom_use_user_terminals(wireshark_t)
 
 tunable_policy(`use_nfs_home_dirs',`
 	fs_manage_nfs_dirs(wireshark_t)
-- 
1.7.3.4

[refpolicy] [PATCH 1/6] Allow using user terminals

[Christopher J. PeBenito]

On 09/04/11 07:25, Sven Vermeulen wrote:
> In order to debug wireshark startup issues, it is important that
> wireshark, when started from a command line, is allowed to output its
> error messages.
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  policy/modules/apps/wireshark.te |    1 +
>  1 files changed, 1 insertions(+), 0 deletions(-)
> 
> diff --git a/policy/modules/apps/wireshark.te b/policy/modules/apps/wireshark.te
> index 8bfe97d..0106846 100644
> --- a/policy/modules/apps/wireshark.te
> +++ b/policy/modules/apps/wireshark.te
> @@ -93,6 +93,7 @@ seutil_use_newrole_fds(wireshark_t)
>  sysnet_read_config(wireshark_t)
>  
>  userdom_manage_user_home_content_files(wireshark_t)
> +userdom_use_user_terminals(wireshark_t)
>  
>  tunable_policy(`use_nfs_home_dirs',`
>  	fs_manage_nfs_dirs(wireshark_t)

Isn't wireshark an X app?  Wouldn't it only need pty access?


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [PATCH 1/6] Allow using user terminals

[Sven Vermeulen]

On Tue, Sep 06, 2011 at 02:30:47PM -0400, Christopher J. PeBenito wrote:
> On 09/04/11 07:25, Sven Vermeulen wrote:
> > In order to debug wireshark startup issues, it is important that
> > wireshark, when started from a command line, is allowed to output its
> > error messages.
[...]
> > +userdom_use_user_terminals(wireshark_t)
> 
> Isn't wireshark an X app?  Wouldn't it only need pty access?
> 

Ah yes, my bad. That was a remainder from an earlier attempt where dumpcap
too was labeled wireshark_exec_t (in the hope that I didn't need to allow
execute rights on bin_t) which is a commandline application (and useful in
batch jobs or scripts without need for wireshark).

I'll resubmit with userdom_use_user_ptys().

Wkr,
	Sven Vermeulen

[refpolicy] [PATCH 2/6] Allow wireshark to use the random device

[Sven Vermeulen]

It already has the rights to use the urandom device, but access to the
random device is also needed.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/apps/wireshark.te |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/policy/modules/apps/wireshark.te b/policy/modules/apps/wireshark.te
index 0106846..9f9d24a 100644
--- a/policy/modules/apps/wireshark.te
+++ b/policy/modules/apps/wireshark.te
@@ -75,6 +75,7 @@ corecmd_search_bin(wireshark_t)
 corenet_tcp_connect_generic_port(wireshark_t)
 corenet_tcp_sendrecv_generic_if(wireshark_t)
 
+dev_read_rand(wireshark_t)
 dev_read_urand(wireshark_t)
 
 files_read_etc_files(wireshark_t)
-- 
1.7.3.4

[refpolicy] [PATCH 3/6] Remove duplicate corecmd_search_bin

[Sven Vermeulen]

Title sais it all, the module used "corecmd_search_bin" twice.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/apps/wireshark.te |    1 -
 1 files changed, 0 insertions(+), 1 deletions(-)

diff --git a/policy/modules/apps/wireshark.te b/policy/modules/apps/wireshark.te
index 9f9d24a..32b5ca8 100644
--- a/policy/modules/apps/wireshark.te
+++ b/policy/modules/apps/wireshark.te
@@ -46,7 +46,6 @@ allow wireshark_t self:udp_socket create_socket_perms;
 
 # Re-execute itself (why?)
 can_exec(wireshark_t, wireshark_exec_t)
-corecmd_search_bin(wireshark_t)
 
 # /home/.wireshark
 manage_dirs_pattern(wireshark_t, wireshark_home_t, wireshark_home_t)
-- 
1.7.3.4

[refpolicy] [PATCH 4/6] Allow wireshark to execute bin_t

[Sven Vermeulen]

Wireshark needs to be able to execute applications, definitely for its
plugin support, but also to call the dumpcap utility (part of the
wireshark distribution) to be able to dump the network traffic.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/apps/wireshark.te |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/policy/modules/apps/wireshark.te b/policy/modules/apps/wireshark.te
index 32b5ca8..5ee2530 100644
--- a/policy/modules/apps/wireshark.te
+++ b/policy/modules/apps/wireshark.te
@@ -69,6 +69,7 @@ kernel_read_kernel_sysctls(wireshark_t)
 kernel_read_system_state(wireshark_t)
 kernel_read_sysctl(wireshark_t)
 
+corecmd_exec_bin(wireshark_t)
 corecmd_search_bin(wireshark_t)
 
 corenet_tcp_connect_generic_port(wireshark_t)
-- 
1.7.3.4

[refpolicy] [PATCH 5/6] Dumpcap dumps the packets as packet_socket

[Sven Vermeulen]

The dumpcap utility (running in the wireshark_t domain) needs to be able
to write packet_sockets

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/apps/wireshark.te |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/policy/modules/apps/wireshark.te b/policy/modules/apps/wireshark.te
index 5ee2530..78afc39 100644
--- a/policy/modules/apps/wireshark.te
+++ b/policy/modules/apps/wireshark.te
@@ -40,7 +40,7 @@ allow wireshark_t self:fifo_file { getattr read write };
 allow wireshark_t self:shm destroy;
 allow wireshark_t self:shm create_shm_perms;
 allow wireshark_t self:netlink_route_socket { nlmsg_read create_socket_perms };
-allow wireshark_t self:packet_socket { setopt bind ioctl getopt create read };
+allow wireshark_t self:packet_socket { setopt bind ioctl getopt create read write };
 allow wireshark_t self:tcp_socket create_socket_perms;
 allow wireshark_t self:udp_socket create_socket_perms;
 
-- 
1.7.3.4

[refpolicy] [PATCH 6/6] Grant wireshark read access on sysfs

[Sven Vermeulen]

The wireshark utility reads information from the network devices listed
in the sysfs hierarchy.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/apps/wireshark.te |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/policy/modules/apps/wireshark.te b/policy/modules/apps/wireshark.te
index 78afc39..a19c7ff 100644
--- a/policy/modules/apps/wireshark.te
+++ b/policy/modules/apps/wireshark.te
@@ -76,6 +76,7 @@ corenet_tcp_connect_generic_port(wireshark_t)
 corenet_tcp_sendrecv_generic_if(wireshark_t)
 
 dev_read_rand(wireshark_t)
+dev_read_sysfs(wireshark_t)
 dev_read_urand(wireshark_t)
 
 files_read_etc_files(wireshark_t)
-- 
1.7.3.4