[refpolicy] [PATCH 1/1] Allow dhcp client to update kernel routing table plus context updates

All of lore.kernel.org
 help / color / mirror / Atom feed

* [refpolicy] [PATCH 1/1] Allow dhcp client to update kernel routing table plus context updates
@ 2011-08-23 11:18 Sven Vermeulen
  2011-08-24 13:16 ` Christopher J. PeBenito
  0 siblings, 1 reply; 2+ messages in thread
From: Sven Vermeulen @ 2011-08-23 11:18 UTC (permalink / raw)
  To: refpolicy

This small patch updates the dhcpc_t (DHCP client domain) to allow updating the
kernel's routing tables (as that is a primary purpose of a DHCP client) as well
as interact with the kernel through the net_sysctls.

Also, one client (dhcpcd) uses /var/run/dhcpcd so add that in the file context
definition as well.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/system/sysnetwork.fc |    1 +
 policy/modules/system/sysnetwork.te |    3 ++-
 2 files changed, 3 insertions(+), 1 deletions(-)

diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
index 694fd94..f515dd5 100644
--- a/policy/modules/system/sysnetwork.fc
+++ b/policy/modules/system/sysnetwork.fc
@@ -60,6 +60,7 @@ ifdef(`distro_redhat',`
 /var/lib/wifiroamd(/.*)?	gen_context(system_u:object_r:dhcpc_state_t,s0)
 
 /var/run/dhclient.*	--	gen_context(system_u:object_r:dhcpc_var_run_t,s0)
+/var/run/dhcpcd(/.*)?		gen_context(system_u:object_r:dhcpc_var_run_t,s0)
 
 ifdef(`distro_gentoo',`
 /var/lib/dhcpc(/.*)?		gen_context(system_u:object_r:dhcpc_state_t,s0)
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index d716d35..889b2a2 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -50,7 +50,7 @@ allow dhcpc_t self:fifo_file rw_fifo_file_perms;
 allow dhcpc_t self:tcp_socket create_stream_socket_perms;
 allow dhcpc_t self:udp_socket create_socket_perms;
 allow dhcpc_t self:packet_socket create_socket_perms;
-allow dhcpc_t self:netlink_route_socket { create_socket_perms nlmsg_read };
+allow dhcpc_t self:netlink_route_socket { create_socket_perms nlmsg_read nlmsg_write };
 
 allow dhcpc_t dhcp_etc_t:dir list_dir_perms;
 read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
@@ -85,6 +85,7 @@ kernel_search_network_sysctl(dhcpc_t)
 kernel_read_kernel_sysctls(dhcpc_t)
 kernel_request_load_module(dhcpc_t)
 kernel_use_fds(dhcpc_t)
+kernel_rw_net_sysctls(dhcpc_t)
 
 corecmd_exec_bin(dhcpc_t)
 corecmd_exec_shell(dhcpc_t)
-- 
1.7.3.4

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* [refpolicy] [PATCH 1/1] Allow dhcp client to update kernel routing table plus context updates
  2011-08-23 11:18 [refpolicy] [PATCH 1/1] Allow dhcp client to update kernel routing table plus context updates Sven Vermeulen
@ 2011-08-24 13:16 ` Christopher J. PeBenito
  0 siblings, 0 replies; 2+ messages in thread
From: Christopher J. PeBenito @ 2011-08-24 13:16 UTC (permalink / raw)
  To: refpolicy

On 08/23/11 07:18, Sven Vermeulen wrote:
> This small patch updates the dhcpc_t (DHCP client domain) to allow updating the
> kernel's routing tables (as that is a primary purpose of a DHCP client) as well
> as interact with the kernel through the net_sysctls.
> 
> Also, one client (dhcpcd) uses /var/run/dhcpcd so add that in the file context
> definition as well.

Merged.

> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  policy/modules/system/sysnetwork.fc |    1 +
>  policy/modules/system/sysnetwork.te |    3 ++-
>  2 files changed, 3 insertions(+), 1 deletions(-)
> 
> diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
> index 694fd94..f515dd5 100644
> --- a/policy/modules/system/sysnetwork.fc
> +++ b/policy/modules/system/sysnetwork.fc
> @@ -60,6 +60,7 @@ ifdef(`distro_redhat',`
>  /var/lib/wifiroamd(/.*)?	gen_context(system_u:object_r:dhcpc_state_t,s0)
>  
>  /var/run/dhclient.*	--	gen_context(system_u:object_r:dhcpc_var_run_t,s0)
> +/var/run/dhcpcd(/.*)?		gen_context(system_u:object_r:dhcpc_var_run_t,s0)
>  
>  ifdef(`distro_gentoo',`
>  /var/lib/dhcpc(/.*)?		gen_context(system_u:object_r:dhcpc_state_t,s0)
> diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
> index d716d35..889b2a2 100644
> --- a/policy/modules/system/sysnetwork.te
> +++ b/policy/modules/system/sysnetwork.te
> @@ -50,7 +50,7 @@ allow dhcpc_t self:fifo_file rw_fifo_file_perms;
>  allow dhcpc_t self:tcp_socket create_stream_socket_perms;
>  allow dhcpc_t self:udp_socket create_socket_perms;
>  allow dhcpc_t self:packet_socket create_socket_perms;
> -allow dhcpc_t self:netlink_route_socket { create_socket_perms nlmsg_read };
> +allow dhcpc_t self:netlink_route_socket { create_socket_perms nlmsg_read nlmsg_write };
>  
>  allow dhcpc_t dhcp_etc_t:dir list_dir_perms;
>  read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
> @@ -85,6 +85,7 @@ kernel_search_network_sysctl(dhcpc_t)
>  kernel_read_kernel_sysctls(dhcpc_t)
>  kernel_request_load_module(dhcpc_t)
>  kernel_use_fds(dhcpc_t)
> +kernel_rw_net_sysctls(dhcpc_t)
>  
>  corecmd_exec_bin(dhcpc_t)
>  corecmd_exec_shell(dhcpc_t)


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2011-08-24 13:16 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-08-23 11:18 [refpolicy] [PATCH 1/1] Allow dhcp client to update kernel routing table plus context updates Sven Vermeulen
2011-08-24 13:16 ` Christopher J. PeBenito

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.