[refpolicy] [PATCH 2/2] DHCPC daemon init network interface

[refpolicy] [PATCH 2/2] DHCPC daemon init network interface

[Chris Richards]

Signed-off-by: Chris Richards <gizmo@giz-works.com>
---
 policy/modules/system/sysnetwork.te |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index dfbe736..640334d 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -50,7 +50,7 @@ allow dhcpc_t self:fifo_file rw_fifo_file_perms;
 allow dhcpc_t self:tcp_socket create_stream_socket_perms;
 allow dhcpc_t self:udp_socket create_socket_perms;
 allow dhcpc_t self:packet_socket create_socket_perms;
-allow dhcpc_t self:netlink_route_socket { create_socket_perms nlmsg_read };
+allow dhcpc_t self:netlink_route_socket { create_socket_perms nlmsg_read nlmsg_write };
 
 allow dhcpc_t dhcp_etc_t:dir list_dir_perms;
 read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
@@ -81,7 +81,7 @@ domtrans_pattern(dhcpc_t, ifconfig_exec_t, ifconfig_t)
 
 kernel_read_system_state(dhcpc_t)
 kernel_read_network_state(dhcpc_t)
-kernel_search_network_sysctl(dhcpc_t)
+kernel_rw_net_sysctls(dhcpc_t)
 kernel_read_kernel_sysctls(dhcpc_t)
 kernel_request_load_module(dhcpc_t)
 kernel_use_fds(dhcpc_t)
-- 
1.7.3.2

[refpolicy] [PATCH 2/2] DHCPC daemon init network interface

[Dominick Grift]

On Sun, Nov 28, 2010 at 02:45:59AM -0600, Chris Richards wrote:
> Signed-off-by: Chris Richards <gizmo@giz-works.com>
> ---
>  policy/modules/system/sysnetwork.te |    4 ++--
>  1 files changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
> index dfbe736..640334d 100644
> --- a/policy/modules/system/sysnetwork.te
> +++ b/policy/modules/system/sysnetwork.te
> @@ -50,7 +50,7 @@ allow dhcpc_t self:fifo_file rw_fifo_file_perms;
>  allow dhcpc_t self:tcp_socket create_stream_socket_perms;
>  allow dhcpc_t self:udp_socket create_socket_perms;
>  allow dhcpc_t self:packet_socket create_socket_perms;
> -allow dhcpc_t self:netlink_route_socket { create_socket_perms nlmsg_read };
> +allow dhcpc_t self:netlink_route_socket { create_socket_perms nlmsg_read nlmsg_write };

i am not sure but i suspect we may be able to use create_netlink_socket_perms here
>  
>  allow dhcpc_t dhcp_etc_t:dir list_dir_perms;
>  read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
> @@ -81,7 +81,7 @@ domtrans_pattern(dhcpc_t, ifconfig_exec_t, ifconfig_t)
>  
>  kernel_read_system_state(dhcpc_t)
>  kernel_read_network_state(dhcpc_t)
> -kernel_search_network_sysctl(dhcpc_t)
> +kernel_rw_net_sysctls(dhcpc_t)
>  kernel_read_kernel_sysctls(dhcpc_t)
>  kernel_request_load_module(dhcpc_t)
>  kernel_use_fds(dhcpc_t)
> -- 
> 1.7.3.2
> 
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

[refpolicy] [PATCH 2/2] DHCPC daemon init network interface

[Chris Richards]

Ah, you are correct.  I just saw that I could simply add the nlmsg_write 
to what was already there and simply added it.  I never even thought 
about looking to see if there was a macro already defined for that.  D'oh!

We'll see if PeBenito wants me to resubmit with the change.

Later,
Chris

On 11/28/2010 04:10 AM, Dominick Grift wrote:
> On Sun, Nov 28, 2010 at 02:45:59AM -0600, Chris Richards wrote:
>> Signed-off-by: Chris Richards<gizmo@giz-works.com>
>> ---
>>   policy/modules/system/sysnetwork.te |    4 ++--
>>   1 files changed, 2 insertions(+), 2 deletions(-)
>>
>> diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
>> index dfbe736..640334d 100644
>> --- a/policy/modules/system/sysnetwork.te
>> +++ b/policy/modules/system/sysnetwork.te
>> @@ -50,7 +50,7 @@ allow dhcpc_t self:fifo_file rw_fifo_file_perms;
>>   allow dhcpc_t self:tcp_socket create_stream_socket_perms;
>>   allow dhcpc_t self:udp_socket create_socket_perms;
>>   allow dhcpc_t self:packet_socket create_socket_perms;
>> -allow dhcpc_t self:netlink_route_socket { create_socket_perms nlmsg_read };
>> +allow dhcpc_t self:netlink_route_socket { create_socket_perms nlmsg_read nlmsg_write };
> i am not sure but i suspect we may be able to use create_netlink_socket_perms here
>>
>>   allow dhcpc_t dhcp_etc_t:dir list_dir_perms;
>>   read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
>> @@ -81,7 +81,7 @@ domtrans_pattern(dhcpc_t, ifconfig_exec_t, ifconfig_t)
>>
>>   kernel_read_system_state(dhcpc_t)
>>   kernel_read_network_state(dhcpc_t)
>> -kernel_search_network_sysctl(dhcpc_t)
>> +kernel_rw_net_sysctls(dhcpc_t)
>>   kernel_read_kernel_sysctls(dhcpc_t)
>>   kernel_request_load_module(dhcpc_t)
>>   kernel_use_fds(dhcpc_t)
>> -- 
>> 1.7.3.2
>>
>> _______________________________________________
>> refpolicy mailing list
>> refpolicy at oss.tresys.com
>> http://oss.tresys.com/mailman/listinfo/refpolicy
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>

[refpolicy] [PATCH 2/2] DHCPC daemon init network interface

[Christopher J. PeBenito]

On 11/28/10 16:09, Chris Richards wrote:
> Ah, you are correct.  I just saw that I could simply add the nlmsg_write 
> to what was already there and simply added it.  I never even thought 
> about looking to see if there was a macro already defined for that.  D'oh!
> 
> We'll see if PeBenito wants me to resubmit with the change.

Might as well resubmit as I have comments on other patches.


> On 11/28/2010 04:10 AM, Dominick Grift wrote:
>> On Sun, Nov 28, 2010 at 02:45:59AM -0600, Chris Richards wrote:
>>> Signed-off-by: Chris Richards<gizmo@giz-works.com>
>>> ---
>>>   policy/modules/system/sysnetwork.te |    4 ++--
>>>   1 files changed, 2 insertions(+), 2 deletions(-)
>>>
>>> diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
>>> index dfbe736..640334d 100644
>>> --- a/policy/modules/system/sysnetwork.te
>>> +++ b/policy/modules/system/sysnetwork.te
>>> @@ -50,7 +50,7 @@ allow dhcpc_t self:fifo_file rw_fifo_file_perms;
>>>   allow dhcpc_t self:tcp_socket create_stream_socket_perms;
>>>   allow dhcpc_t self:udp_socket create_socket_perms;
>>>   allow dhcpc_t self:packet_socket create_socket_perms;
>>> -allow dhcpc_t self:netlink_route_socket { create_socket_perms nlmsg_read };
>>> +allow dhcpc_t self:netlink_route_socket { create_socket_perms nlmsg_read nlmsg_write };
>> i am not sure but i suspect we may be able to use create_netlink_socket_perms here
>>>
>>>   allow dhcpc_t dhcp_etc_t:dir list_dir_perms;
>>>   read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
>>> @@ -81,7 +81,7 @@ domtrans_pattern(dhcpc_t, ifconfig_exec_t, ifconfig_t)
>>>
>>>   kernel_read_system_state(dhcpc_t)
>>>   kernel_read_network_state(dhcpc_t)
>>> -kernel_search_network_sysctl(dhcpc_t)
>>> +kernel_rw_net_sysctls(dhcpc_t)
>>>   kernel_read_kernel_sysctls(dhcpc_t)
>>>   kernel_request_load_module(dhcpc_t)
>>>   kernel_use_fds(dhcpc_t)
>>> -- 
>>> 1.7.3.2
>>>
>>> _______________________________________________
>>> refpolicy mailing list
>>> refpolicy at oss.tresys.com
>>> http://oss.tresys.com/mailman/listinfo/refpolicy
>> _______________________________________________
>> refpolicy mailing list
>> refpolicy at oss.tresys.com
>> http://oss.tresys.com/mailman/listinfo/refpolicy
>>
> 
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com