[refpolicy] [PATCHv2 0/6] Wireshark application updates

[refpolicy] [PATCHv2 0/6] Wireshark application updates

[Sven Vermeulen]

This is a set of simple updates on the wireshark application.

- Support the use of user terminals
- Access /dev/random
- Remove duplicate corecmd_search_bin
- Allow wireshark to execute bin_t
- Let dumpcap dump its packets
- Grant access to sysfs

Changes since v1
================

- Use userdom_use_user_ptys instead of _terminals
- Generate patch from within contrib submodule

	    Wkr,
	    	Sven Vermeulen

[refpolicy] [PATCHv2 1/6] Allow using user terminals

[Sven Vermeulen]

In order to debug wireshark startup issues, it is important that
wireshark, when started from a command line, is allowed to output its
error messages.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 wireshark.te |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/wireshark.te b/wireshark.te
index 8bfe97d..5ea50f5 100644
--- a/wireshark.te
+++ b/wireshark.te
@@ -93,6 +93,7 @@ seutil_use_newrole_fds(wireshark_t)
 sysnet_read_config(wireshark_t)
 
 userdom_manage_user_home_content_files(wireshark_t)
+userdom_use_user_ptys(wireshark_t)
 
 tunable_policy(`use_nfs_home_dirs',`
 	fs_manage_nfs_dirs(wireshark_t)
-- 
1.7.3.4

[refpolicy] [PATCHv2 2/6] Allow wireshark to use the random device

[Sven Vermeulen]

It already has the rights to use the urandom device, but access to the
random device is also needed.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 wireshark.te |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/wireshark.te b/wireshark.te
index 5ea50f5..94ab49a 100644
--- a/wireshark.te
+++ b/wireshark.te
@@ -75,6 +75,7 @@ corecmd_search_bin(wireshark_t)
 corenet_tcp_connect_generic_port(wireshark_t)
 corenet_tcp_sendrecv_generic_if(wireshark_t)
 
+dev_read_rand(wireshark_t)
 dev_read_urand(wireshark_t)
 
 files_read_etc_files(wireshark_t)
-- 
1.7.3.4

[refpolicy] [PATCHv2 3/6] Remove duplicate corecmd_search_bin

[Sven Vermeulen]

Title sais it all, the module used "corecmd_search_bin" twice.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 wireshark.te |    1 -
 1 files changed, 0 insertions(+), 1 deletions(-)

diff --git a/wireshark.te b/wireshark.te
index 94ab49a..db06f15 100644
--- a/wireshark.te
+++ b/wireshark.te
@@ -46,7 +46,6 @@ allow wireshark_t self:udp_socket create_socket_perms;
 
 # Re-execute itself (why?)
 can_exec(wireshark_t, wireshark_exec_t)
-corecmd_search_bin(wireshark_t)
 
 # /home/.wireshark
 manage_dirs_pattern(wireshark_t, wireshark_home_t, wireshark_home_t)
-- 
1.7.3.4

[refpolicy] [PATCHv2 4/6] Allow wireshark to execute bin_t

[Sven Vermeulen]

Wireshark needs to be able to execute applications, definitely for its
plugin support, but also to call the dumpcap utility (part of the
wireshark distribution) to be able to dump the network traffic.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 wireshark.te |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/wireshark.te b/wireshark.te
index db06f15..2ec43c4 100644
--- a/wireshark.te
+++ b/wireshark.te
@@ -69,6 +69,7 @@ kernel_read_kernel_sysctls(wireshark_t)
 kernel_read_system_state(wireshark_t)
 kernel_read_sysctl(wireshark_t)
 
+corecmd_exec_bin(wireshark_t)
 corecmd_search_bin(wireshark_t)
 
 corenet_tcp_connect_generic_port(wireshark_t)
-- 
1.7.3.4

[refpolicy] [PATCHv2 5/6] Dumpcap dumps the packets as packet_socket

[Sven Vermeulen]

The dumpcap utility (running in the wireshark_t domain) needs to be able
to write packet_sockets

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 wireshark.te |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/wireshark.te b/wireshark.te
index 2ec43c4..7b325bc 100644
--- a/wireshark.te
+++ b/wireshark.te
@@ -40,7 +40,7 @@ allow wireshark_t self:fifo_file { getattr read write };
 allow wireshark_t self:shm destroy;
 allow wireshark_t self:shm create_shm_perms;
 allow wireshark_t self:netlink_route_socket { nlmsg_read create_socket_perms };
-allow wireshark_t self:packet_socket { setopt bind ioctl getopt create read };
+allow wireshark_t self:packet_socket { setopt bind ioctl getopt create read write };
 allow wireshark_t self:tcp_socket create_socket_perms;
 allow wireshark_t self:udp_socket create_socket_perms;
 
-- 
1.7.3.4

[refpolicy] [PATCH 6/6] Grant wireshark read access on sysfs

[Sven Vermeulen]

The wireshark utility reads information from the network devices listed
in the sysfs hierarchy.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 wireshark.te |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/wireshark.te b/wireshark.te
index 7b325bc..18e7924 100644
--- a/wireshark.te
+++ b/wireshark.te
@@ -76,6 +76,7 @@ corenet_tcp_connect_generic_port(wireshark_t)
 corenet_tcp_sendrecv_generic_if(wireshark_t)
 
 dev_read_rand(wireshark_t)
+dev_read_sysfs(wireshark_t)
 dev_read_urand(wireshark_t)
 
 files_read_etc_files(wireshark_t)
-- 
1.7.3.4

[refpolicy] [PATCHv2 0/6] Wireshark application updates

[Christopher J. PeBenito]

On 09/09/11 15:46, Sven Vermeulen wrote:
> This is a set of simple updates on the wireshark application.
> 
> - Support the use of user terminals
> - Access /dev/random
> - Remove duplicate corecmd_search_bin
> - Allow wireshark to execute bin_t
> - Let dumpcap dump its packets
> - Grant access to sysfs
> 
> Changes since v1
> ================
> 
> - Use userdom_use_user_ptys instead of _terminals
> - Generate patch from within contrib submodule

Merged.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com