From: cpebenito@tresys.com (Christopher J. PeBenito)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH 2/3] Allow iw to create generic netlink sockets
Date: Thu, 23 Oct 2014 08:13:22 -0400 [thread overview]
Message-ID: <5448F0E2.3070405@tresys.com> (raw)
In-Reply-To: <1413639022-27375-2-git-send-email-nicolas.iooss@m4x.org>
On 10/18/2014 9:30 AM, Nicolas Iooss wrote:
> iw uses generic netlink socket to configure WiFi properties. For
> example, "strace iw dev wlan0 set power_save on" outputs:
>
> socket(PF_NETLINK, SOCK_RAW|SOCK_CLOEXEC, NETLINK_GENERIC) = 3
> setsockopt(3, SOL_SOCKET, SO_SNDBUF, [32768], 4) = 0
> setsockopt(3, SOL_SOCKET, SO_RCVBUF, [32768], 4) = 0
> bind(3, {sa_family=AF_NETLINK, pid=7836, groups=00000000}, 12) = 0
>
> Some AVC denials are reported in audit.log:
>
> type=AVC msg=audit(1408829044.820:486): avc: denied { create } for
> pid=5950 comm="iw" scontext=system_u:system_r:ifconfig_t
> tcontext=system_u:system_r:ifconfig_t tclass=netlink_socket
> permissive=1
> type=AVC msg=audit(1408829044.820:487): avc: denied { setopt } for
> pid=5950 comm="iw" scontext=system_u:system_r:ifconfig_t
> tcontext=system_u:system_r:ifconfig_t tclass=netlink_socket
> permissive=1
> type=AVC msg=audit(1408829044.820:488): avc: denied { bind } for
> pid=5950 comm="iw" scontext=system_u:system_r:ifconfig_t
> tcontext=system_u:system_r:ifconfig_t tclass=netlink_socket
> permissive=1
> type=AVC msg=audit(1408829044.820:489): avc: denied { getattr }
> for pid=5950 comm="iw" scontext=system_u:system_r:ifconfig_t
> tcontext=system_u:system_r:ifconfig_t tclass=netlink_socket
> permissive=1
> type=AVC msg=audit(1408829044.820:490): avc: denied { write } for
> pid=5950 comm="iw" scontext=system_u:system_r:ifconfig_t
> tcontext=system_u:system_r:ifconfig_t tclass=netlink_socket
> permissive=1
>
> Allowing ifconfig_t to create generic netlink sockets fixes this.
Merged.
> (On a side note, the AVC denials were caused by TLP, a tool which
> applies "laptop configuration" when switching between AC and battery
> with the help of a udev script)
> ---
> policy/modules/system/sysnetwork.te | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
> index 0a3ea3d979b9..bcba404cd38e 100644
> --- a/policy/modules/system/sysnetwork.te
> +++ b/policy/modules/system/sysnetwork.te
> @@ -274,6 +274,7 @@ allow ifconfig_t self:msg { send receive };
> allow ifconfig_t self:udp_socket create_socket_perms;
> # for /sbin/ip
> allow ifconfig_t self:packet_socket create_socket_perms;
> +allow ifconfig_t self:netlink_socket create_socket_perms;
> allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
> allow ifconfig_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_read };
> allow ifconfig_t self:tcp_socket { create ioctl };
>
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
next prev parent reply other threads:[~2014-10-23 12:13 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-10-18 13:30 [refpolicy] [PATCH 1/3] Label /sbin/iw as ifconfig_exec_t Nicolas Iooss
2014-10-18 13:30 ` [refpolicy] [PATCH 2/3] Allow iw to create generic netlink sockets Nicolas Iooss
2014-10-23 12:13 ` Christopher J. PeBenito [this message]
2014-10-18 13:30 ` [refpolicy] [PATCH 3/3] Use create_netlink_socket_perms when allowing netlink socket creation Nicolas Iooss
2014-10-23 12:13 ` Christopher J. PeBenito
2014-10-23 12:13 ` [refpolicy] [PATCH 1/3] Label /sbin/iw as ifconfig_exec_t Christopher J. PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5448F0E2.3070405@tresys.com \
--to=cpebenito@tresys.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.