* [refpolicy] [PATCH 0/2] Small dhcpc_t updates @ 2013-05-07 18:37 Sven Vermeulen 2013-05-07 18:37 ` [refpolicy] [PATCH 1/2] Update for pump DHCP client Sven Vermeulen 2013-05-07 18:37 ` [refpolicy] [PATCH 2/2] Support IPv6 Neighbor Discovery Protocol for dhcpcd Sven Vermeulen 0 siblings, 2 replies; 7+ messages in thread From: Sven Vermeulen @ 2013-05-07 18:37 UTC (permalink / raw) To: refpolicy A few small dhcpc_t updates; one to support pump, another to support IPv6 NDP clients. Sven Vermeulen (2): Update for pump DHCP client Support IPv6 Neighbor Discovery Protocol for dhcpcd policy/modules/system/sysnetwork.te | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) -- 1.8.1.5 ^ permalink raw reply [flat|nested] 7+ messages in thread
* [refpolicy] [PATCH 1/2] Update for pump DHCP client 2013-05-07 18:37 [refpolicy] [PATCH 0/2] Small dhcpc_t updates Sven Vermeulen @ 2013-05-07 18:37 ` Sven Vermeulen 2013-05-09 13:17 ` Christopher J. PeBenito 2013-05-07 18:37 ` [refpolicy] [PATCH 2/2] Support IPv6 Neighbor Discovery Protocol for dhcpcd Sven Vermeulen 1 sibling, 1 reply; 7+ messages in thread From: Sven Vermeulen @ 2013-05-07 18:37 UTC (permalink / raw) To: refpolicy When invoking the pump DHCP client, the client immediately aborts. No errors are shown, but the process isn't running and the returncode is 1. The denials reveal that pump wants to create a socket in /var/run (called pump.sock). After granting dhcpc_t the rights to manage dhcpc_var_run_t sock_file's and introduce a files_pid_filetrans for sock_file, pump gives the next failure: ~# pump -i eth0 failed to connect to localhost:bootpc: Connection refused >From the denials, we get that pump requires "accept" on its own unix_stream_socket, which iteratively expands to "accept listen connectto". Once assigned, pump seems to work again. Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be> --- policy/modules/system/sysnetwork.te | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te index 11247e2..49c5dfe 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -54,6 +54,7 @@ allow dhcpc_t self:tcp_socket create_stream_socket_perms; allow dhcpc_t self:udp_socket create_socket_perms; allow dhcpc_t self:packet_socket create_socket_perms; allow dhcpc_t self:netlink_route_socket { create_socket_perms nlmsg_read nlmsg_write }; +allow dhcpc_t self:unix_stream_socket { accept listen connectto }; allow dhcpc_t dhcp_etc_t:dir list_dir_perms; read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t) @@ -64,9 +65,10 @@ manage_files_pattern(dhcpc_t, dhcpc_state_t, dhcpc_state_t) filetrans_pattern(dhcpc_t, dhcp_state_t, dhcpc_state_t, file) # create pid file +allow dhcpc_t dhcpc_var_run_t:sock_file manage_sock_file_perms; manage_files_pattern(dhcpc_t, dhcpc_var_run_t, dhcpc_var_run_t) create_dirs_pattern(dhcpc_t, dhcpc_var_run_t, dhcpc_var_run_t) -files_pid_filetrans(dhcpc_t, dhcpc_var_run_t, { file dir }) +files_pid_filetrans(dhcpc_t, dhcpc_var_run_t, { file dir sock_file }) # Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files # in /etc created by dhcpcd will be labelled net_conf_t. -- 1.8.1.5 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* [refpolicy] [PATCH 1/2] Update for pump DHCP client 2013-05-07 18:37 ` [refpolicy] [PATCH 1/2] Update for pump DHCP client Sven Vermeulen @ 2013-05-09 13:17 ` Christopher J. PeBenito 0 siblings, 0 replies; 7+ messages in thread From: Christopher J. PeBenito @ 2013-05-09 13:17 UTC (permalink / raw) To: refpolicy On 05/07/13 14:37, Sven Vermeulen wrote: > When invoking the pump DHCP client, the client immediately aborts. No errors are > shown, but the process isn't running and the returncode is 1. > > The denials reveal that pump wants to create a socket in /var/run (called > pump.sock). After granting dhcpc_t the rights to manage dhcpc_var_run_t > sock_file's and introduce a files_pid_filetrans for sock_file, pump gives the > next failure: > > ~# pump -i eth0 > failed to connect to localhost:bootpc: Connection refused > >>From the denials, we get that pump requires "accept" on its own > unix_stream_socket, which iteratively expands to "accept listen connectto". Once > assigned, pump seems to work again. > > Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be> > --- > policy/modules/system/sysnetwork.te | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te > index 11247e2..49c5dfe 100644 > --- a/policy/modules/system/sysnetwork.te > +++ b/policy/modules/system/sysnetwork.te > @@ -54,6 +54,7 @@ allow dhcpc_t self:tcp_socket create_stream_socket_perms; > allow dhcpc_t self:udp_socket create_socket_perms; > allow dhcpc_t self:packet_socket create_socket_perms; > allow dhcpc_t self:netlink_route_socket { create_socket_perms nlmsg_read nlmsg_write }; > +allow dhcpc_t self:unix_stream_socket { accept listen connectto }; One minor nit. This should be expanded out to create_stream_socket_perms. It gets the other perms from that set from logging_send_syslog_msg(). If these perms were ever dropped (admittedly unlikely), we'd still need them here. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com ^ permalink raw reply [flat|nested] 7+ messages in thread
* [refpolicy] [PATCH 2/2] Support IPv6 Neighbor Discovery Protocol for dhcpcd 2013-05-07 18:37 [refpolicy] [PATCH 0/2] Small dhcpc_t updates Sven Vermeulen 2013-05-07 18:37 ` [refpolicy] [PATCH 1/2] Update for pump DHCP client Sven Vermeulen @ 2013-05-07 18:37 ` Sven Vermeulen 2013-05-09 13:12 ` Christopher J. PeBenito 1 sibling, 1 reply; 7+ messages in thread From: Sven Vermeulen @ 2013-05-07 18:37 UTC (permalink / raw) To: refpolicy The dhcpcd client supports IPv6 NDP, but when trying to use it the request fails with: ipv6rs: Permission denied In the audit log, a denial is shown about dhcpc_t wanting to create a rawip_socket. After allowing this, the client succeeds. Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be> --- policy/modules/system/sysnetwork.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te index 49c5dfe..e0e1556 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -53,6 +53,7 @@ allow dhcpc_t self:fifo_file rw_fifo_file_perms; allow dhcpc_t self:tcp_socket create_stream_socket_perms; allow dhcpc_t self:udp_socket create_socket_perms; allow dhcpc_t self:packet_socket create_socket_perms; +allow dhcpc_t self:rawip_socket create_socket_perms; allow dhcpc_t self:netlink_route_socket { create_socket_perms nlmsg_read nlmsg_write }; allow dhcpc_t self:unix_stream_socket { accept listen connectto }; -- 1.8.1.5 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* [refpolicy] [PATCH 2/2] Support IPv6 Neighbor Discovery Protocol for dhcpcd 2013-05-07 18:37 ` [refpolicy] [PATCH 2/2] Support IPv6 Neighbor Discovery Protocol for dhcpcd Sven Vermeulen @ 2013-05-09 13:12 ` Christopher J. PeBenito 2013-05-09 16:12 ` Sven Vermeulen 0 siblings, 1 reply; 7+ messages in thread From: Christopher J. PeBenito @ 2013-05-09 13:12 UTC (permalink / raw) To: refpolicy On 05/07/13 14:37, Sven Vermeulen wrote: > The dhcpcd client supports IPv6 NDP, but when trying to use it the request fails > with: > > ipv6rs: Permission denied > > In the audit log, a denial is shown about dhcpc_t wanting to create a > rawip_socket. After allowing this, the client succeeds. Thats odd; I don't see this on my IPv6 system. Which version of dhcpcd is this seen on? I'm using 5.6.8. > Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be> > --- > policy/modules/system/sysnetwork.te | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te > index 49c5dfe..e0e1556 100644 > --- a/policy/modules/system/sysnetwork.te > +++ b/policy/modules/system/sysnetwork.te > @@ -53,6 +53,7 @@ allow dhcpc_t self:fifo_file rw_fifo_file_perms; > allow dhcpc_t self:tcp_socket create_stream_socket_perms; > allow dhcpc_t self:udp_socket create_socket_perms; > allow dhcpc_t self:packet_socket create_socket_perms; > +allow dhcpc_t self:rawip_socket create_socket_perms; > allow dhcpc_t self:netlink_route_socket { create_socket_perms nlmsg_read nlmsg_write }; > allow dhcpc_t self:unix_stream_socket { accept listen connectto }; > > -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com ^ permalink raw reply [flat|nested] 7+ messages in thread
* [refpolicy] [PATCH 2/2] Support IPv6 Neighbor Discovery Protocol for dhcpcd 2013-05-09 13:12 ` Christopher J. PeBenito @ 2013-05-09 16:12 ` Sven Vermeulen 2013-05-09 16:24 ` Christopher J. PeBenito 0 siblings, 1 reply; 7+ messages in thread From: Sven Vermeulen @ 2013-05-09 16:12 UTC (permalink / raw) To: refpolicy On Thu, May 09, 2013 at 09:12:03AM -0400, Christopher J. PeBenito wrote: > On 05/07/13 14:37, Sven Vermeulen wrote: > > The dhcpcd client supports IPv6 NDP, but when trying to use it the request fails > > with: > > > > ipv6rs: Permission denied > > > > In the audit log, a denial is shown about dhcpc_t wanting to create a > > rawip_socket. After allowing this, the client succeeds. > > Thats odd; I don't see this on my IPv6 system. Which version of dhcpcd is this seen on? I'm using 5.6.8. I'm using dhcpcd-5.6.4 currently; I use the "-t 5 -L --ipv6ra_own" options. I tried it again (disabled the rule): * Bringing up interface eth0 * dhcp ... * Running dhcpcd ... dhcpcd[19528]: version 5.6.4 starting dhcpcd[19528]: all: disabling Kernel IPv6 RA support dhcpcd[19528]: ipv6rs: Permission denied dhcpcd[19528]: ipv6nd: Permission denied dhcpcd[19528]: eth0: broadcasting for a lease dhcpcd[19528]: timed out dhcpcd[19528]: all: restoring Kernel IPv6 RA support * ERROR: net.eth0 failed to start I'll update to 5.6.8 soon and see if it persists. Wkr, Sven Vermeulen ^ permalink raw reply [flat|nested] 7+ messages in thread
* [refpolicy] [PATCH 2/2] Support IPv6 Neighbor Discovery Protocol for dhcpcd 2013-05-09 16:12 ` Sven Vermeulen @ 2013-05-09 16:24 ` Christopher J. PeBenito 0 siblings, 0 replies; 7+ messages in thread From: Christopher J. PeBenito @ 2013-05-09 16:24 UTC (permalink / raw) To: refpolicy On 05/09/13 12:12, Sven Vermeulen wrote: > On Thu, May 09, 2013 at 09:12:03AM -0400, Christopher J. PeBenito wrote: >> On 05/07/13 14:37, Sven Vermeulen wrote: >>> The dhcpcd client supports IPv6 NDP, but when trying to use it the request fails >>> with: >>> >>> ipv6rs: Permission denied >>> >>> In the audit log, a denial is shown about dhcpc_t wanting to create a >>> rawip_socket. After allowing this, the client succeeds. >> >> Thats odd; I don't see this on my IPv6 system. Which version of dhcpcd is this seen on? I'm using 5.6.8. > > I'm using dhcpcd-5.6.4 currently; I use the "-t 5 -L --ipv6ra_own" > options. Oh, I'm not using the --ipv6ra_own option. Maybe thats why I'm not seeing it. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2013-05-09 16:24 UTC | newest] Thread overview: 7+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2013-05-07 18:37 [refpolicy] [PATCH 0/2] Small dhcpc_t updates Sven Vermeulen 2013-05-07 18:37 ` [refpolicy] [PATCH 1/2] Update for pump DHCP client Sven Vermeulen 2013-05-09 13:17 ` Christopher J. PeBenito 2013-05-07 18:37 ` [refpolicy] [PATCH 2/2] Support IPv6 Neighbor Discovery Protocol for dhcpcd Sven Vermeulen 2013-05-09 13:12 ` Christopher J. PeBenito 2013-05-09 16:12 ` Sven Vermeulen 2013-05-09 16:24 ` Christopher J. PeBenito
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.