[refpolicy] [PATCH] Update the dhcp client part of the sysnetwork module

[refpolicy] [PATCH] Update the dhcp client part of the sysnetwork module

[Guido Trentalancia]

Update the sysnetwork module to add some permissions needed by
the dhcp client (dhclient-script).

Create auxiliary interfaces in the ntp module and in the kernel
files module.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
 policy/modules/contrib/ntp.if       |   19 +++++++++++++++++++
 policy/modules/kernel/files.if      |   19 +++++++++++++++++++
 policy/modules/system/sysnetwork.te |   11 +++++++++++
 3 files changed, 49 insertions(+)

--- refpolicy-git-06082016-orig2/policy/modules/kernel/files.if	2016-08-09 00:02:26.083934522 +0200
+++ refpolicy-git-06082016/policy/modules/kernel/files.if	2016-08-08 23:30:01.781638983 +0200
@@ -5348,6 +5348,25 @@ interface(`files_dontaudit_list_var',`
 
 ########################################
 ## <summary>
+##      Add directory entries in the
+##      /var directory.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`files_add_entry_var_dirs',`
+	gen_require(`
+		type var_t;
+	')
+
+	allow $1 var_t:dir add_entry_dir_perms;
+')
+
+########################################
+## <summary>
 ##	Create, read, write, and delete directories
 ##	in the /var directory.
 ## </summary>
--- refpolicy-git-06082016-orig2/policy/modules/contrib/ntp.if	2016-08-06 21:27:11.375094577 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/ntp.if	2016-08-08 23:09:34.553877178 +0200
@@ -101,6 +101,25 @@ interface(`ntp_initrc_domtrans',`
 
 ########################################
 ## <summary>
+##      Read ntp conf files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`ntp_read_conf_files',`
+	gen_require(`
+		type ntp_conf_t;
+	')
+
+	files_search_etc($1)
+	read_files_pattern($1, ntp_conf_t, ntp_conf_t)
+')
+
+########################################
+## <summary>
 ##	Read ntp drift files.
 ## </summary>
 ## <param name="domain">
--- refpolicy-git-06082016-orig2/policy/modules/system/sysnetwork.te	2016-08-09 00:02:35.257150332 +0200
+++ refpolicy-git-06082016/policy/modules/system/sysnetwork.te	2016-08-08 23:51:37.145701574 +0200
@@ -67,6 +67,9 @@ allow dhcpc_t dhcp_state_t:file read_fil
 manage_files_pattern(dhcpc_t, dhcpc_state_t, dhcpc_state_t)
 filetrans_pattern(dhcpc_t, dhcp_state_t, dhcpc_state_t, file)
 
+# execute restorecon
+seutil_exec_setfiles(dhcpc_t)
+
 # create pid file
 manage_files_pattern(dhcpc_t, dhcpc_var_run_t, dhcpc_var_run_t)
 create_dirs_pattern(dhcpc_t, dhcpc_var_run_t, dhcpc_var_run_t)
@@ -76,12 +79,20 @@ files_pid_filetrans(dhcpc_t, dhcpc_var_r
 # in /etc created by dhcpcd will be labelled net_conf_t.
 sysnet_manage_config(dhcpc_t)
 files_etc_filetrans(dhcpc_t, net_conf_t, file)
+ntp_read_conf_files(dhcpc_t)
+
+# manage files in /var
+files_add_entry_var_dirs(dhcpc_t)
+files_manage_var_files(dhcpc_t)
 
 # create temp files
 manage_dirs_pattern(dhcpc_t, dhcpc_tmp_t, dhcpc_tmp_t)
 manage_files_pattern(dhcpc_t, dhcpc_tmp_t, dhcpc_tmp_t)
 files_tmp_filetrans(dhcpc_t, dhcpc_tmp_t, { file dir })
 
+# search cgroup directories
+fs_search_cgroup_dirs(dhcpc_t)
+
 can_exec(dhcpc_t, dhcpc_exec_t)
 
 kernel_load_module(dhcpc_t)

[refpolicy] [PATCH v2] Update the dhcp client part of the sysnetwork module

[Guido Trentalancia]

Update the sysnetwork module to add some permissions needed by
the dhcp client.

Create auxiliary interfaces in the ntp module and in the kernel
files module.

The permission to execute restorecon/setfiles (required by the
dhclient-script script and granted in a previous version of this
patch) is not granted, as it does not break the script functioning.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
 policy/modules/contrib/ntp.if       |   19 +++++++++++++++++++
 policy/modules/kernel/files.if      |   19 +++++++++++++++++++
 policy/modules/system/sysnetwork.te |    8 ++++++++
 3 files changed, 46 insertions(+)

--- refpolicy-git-06082016-orig2/policy/modules/kernel/files.if	2016-08-09 00:02:26.083934522 +0200
+++ refpolicy-git-06082016/policy/modules/kernel/files.if	2016-08-08 23:30:01.781638983 +0200
@@ -5348,6 +5348,25 @@ interface(`files_dontaudit_list_var',`
 
 ########################################
 ## <summary>
+##      Add directory entries in the
+##      /var directory.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`files_add_entry_var_dirs',`
+	gen_require(`
+		type var_t;
+	')
+
+	allow $1 var_t:dir add_entry_dir_perms;
+')
+
+########################################
+## <summary>
 ##	Create, read, write, and delete directories
 ##	in the /var directory.
 ## </summary>
--- refpolicy-git-06082016-orig2/policy/modules/contrib/ntp.if	2016-08-06 21:27:11.375094577 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/ntp.if	2016-08-08 23:09:34.553877178 +0200
@@ -101,6 +101,25 @@ interface(`ntp_initrc_domtrans',`
 
 ########################################
 ## <summary>
+##      Read ntp conf files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`ntp_read_conf_files',`
+	gen_require(`
+		type ntp_conf_t;
+	')
+
+	files_search_etc($1)
+	read_files_pattern($1, ntp_conf_t, ntp_conf_t)
+')
+
+########################################
+## <summary>
 ##	Read ntp drift files.
 ## </summary>
 ## <param name="domain">
--- refpolicy-git-06082016-orig2/policy/modules/system/sysnetwork.te	2016-08-09 00:02:35.257150332 +0200
+++ refpolicy-git-06082016/policy/modules/system/sysnetwork.te	2016-08-08 23:51:37.145701574 +0200
@@ -76,12 +79,20 @@ files_pid_filetrans(dhcpc_t, dhcpc_var_r
 # in /etc created by dhcpcd will be labelled net_conf_t.
 sysnet_manage_config(dhcpc_t)
 files_etc_filetrans(dhcpc_t, net_conf_t, file)
+ntp_read_conf_files(dhcpc_t)
+
+# manage files in /var
+files_add_entry_var_dirs(dhcpc_t)
+files_manage_var_files(dhcpc_t)
 
 # create temp files
 manage_dirs_pattern(dhcpc_t, dhcpc_tmp_t, dhcpc_tmp_t)
 manage_files_pattern(dhcpc_t, dhcpc_tmp_t, dhcpc_tmp_t)
 files_tmp_filetrans(dhcpc_t, dhcpc_tmp_t, { file dir })
 
+# search cgroup directories
+fs_search_cgroup_dirs(dhcpc_t)
+
 can_exec(dhcpc_t, dhcpc_exec_t)
 
 kernel_load_module(dhcpc_t)

[refpolicy] [PATCH v2] Update the dhcp client part of the sysnetwork module

[Chris PeBenito]

On 08/09/16 13:05, Guido Trentalancia wrote:
> Update the sysnetwork module to add some permissions needed by
> the dhcp client.
>
> Create auxiliary interfaces in the ntp module and in the kernel
> files module.
>
> The permission to execute restorecon/setfiles (required by the
> dhclient-script script and granted in a previous version of this
> patch) is not granted, as it does not break the script functioning.
>
> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> ---
>  policy/modules/contrib/ntp.if       |   19 +++++++++++++++++++
>  policy/modules/kernel/files.if      |   19 +++++++++++++++++++
>  policy/modules/system/sysnetwork.te |    8 ++++++++
>  3 files changed, 46 insertions(+)
>
[...]

> --- refpolicy-git-06082016-orig2/policy/modules/system/sysnetwork.te	2016-08-09 00:02:35.257150332 +0200
> +++ refpolicy-git-06082016/policy/modules/system/sysnetwork.te	2016-08-08 23:51:37.145701574 +0200
> @@ -76,12 +79,20 @@ files_pid_filetrans(dhcpc_t, dhcpc_var_r
>  # in /etc created by dhcpcd will be labelled net_conf_t.
>  sysnet_manage_config(dhcpc_t)
>  files_etc_filetrans(dhcpc_t, net_conf_t, file)
> +ntp_read_conf_files(dhcpc_t)

This should made optional, since ntp is in contrib (and not strictly 
required).


> +# manage files in /var
> +files_add_entry_var_dirs(dhcpc_t)

This isn't necessary as the below call allows these perms.

> +files_manage_var_files(dhcpc_t)
>  # create temp files
>  manage_dirs_pattern(dhcpc_t, dhcpc_tmp_t, dhcpc_tmp_t)
>  manage_files_pattern(dhcpc_t, dhcpc_tmp_t, dhcpc_tmp_t)
>  files_tmp_filetrans(dhcpc_t, dhcpc_tmp_t, { file dir })
>
> +# search cgroup directories
> +fs_search_cgroup_dirs(dhcpc_t)
> +
>  can_exec(dhcpc_t, dhcpc_exec_t)
>
>  kernel_load_module(dhcpc_t)


-- 
Chris PeBenito

[refpolicy] [PATCH v3] Update the dhcp client and ifconfig parts of the sysnetwork module

[Guido Trentalancia]

Update the sysnetwork module to add some permissions needed by
the dhcp client and ifconfig.

Create auxiliary interfaces in the ntp module.

The permission to execute restorecon/setfiles (required by the
dhclient-script script and granted in a previous version of this
patch) is not granted, as it does not break the script functioning.

Include revisions from Chris PeBenito.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
 policy/modules/contrib/ntp.if       |   19 +++++++++++++++++++
 policy/modules/system/sysnetwork.te |   14 +++++++++++++-
 2 files changed, 32 insertions(+), 1 deletion(-)

--- refpolicy-git-06082016-orig/policy/modules/contrib/ntp.if	2016-08-06 21:27:11.375094577 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/ntp.if	2016-08-08 23:09:34.553877178 +0200
@@ -101,6 +101,25 @@ interface(`ntp_initrc_domtrans',`
 
 ########################################
 ## <summary>
+##      Read ntp conf files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`ntp_read_conf_files',`
+	gen_require(`
+		type ntp_conf_t;
+	')
+
+	files_search_etc($1)
+	read_files_pattern($1, ntp_conf_t, ntp_conf_t)
+')
+
+########################################
+## <summary>
 ##	Read ntp drift files.
 ## </summary>
 ## <param name="domain">
--- refpolicy-git-06082016-orig/policy/modules/system/sysnetwork.te	2016-08-06 21:26:43.309774442 +0200
+++ refpolicy-git-06082016/policy/modules/system/sysnetwork.te	2016-08-13 15:29:44.178844440 +0200
@@ -50,7 +50,7 @@ ifdef(`distro_debian',`
 allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service setpcap sys_nice sys_resource sys_tty_config };
 dontaudit dhcpc_t self:capability { sys_tty_config sys_ptrace };
 # for access("/etc/bashrc", X_OK) on Red Hat
-dontaudit dhcpc_t self:capability { dac_read_search sys_module };
+dontaudit dhcpc_t self:capability { dac_read_search };
 allow dhcpc_t self:process { getsched getcap setcap setfscreate ptrace signal_perms };
 
 allow dhcpc_t self:fifo_file rw_fifo_file_perms;
@@ -77,13 +77,21 @@ files_pid_filetrans(dhcpc_t, dhcpc_var_r
 sysnet_manage_config(dhcpc_t)
 files_etc_filetrans(dhcpc_t, net_conf_t, file)
 
+# manage files in /var
+files_add_entry_var_dirs(dhcpc_t)
+files_manage_var_files(dhcpc_t)
+
 # create temp files
 manage_dirs_pattern(dhcpc_t, dhcpc_tmp_t, dhcpc_tmp_t)
 manage_files_pattern(dhcpc_t, dhcpc_tmp_t, dhcpc_tmp_t)
 files_tmp_filetrans(dhcpc_t, dhcpc_tmp_t, { file dir })
 
+# search cgroup directories
+fs_search_cgroup_dirs(dhcpc_t)
+
 can_exec(dhcpc_t, dhcpc_exec_t)
 
+kernel_load_module(dhcpc_t)
 kernel_read_system_state(dhcpc_t)
 kernel_read_network_state(dhcpc_t)
 kernel_search_network_sysctl(dhcpc_t)
@@ -225,6 +233,7 @@ optional_policy(`
 optional_policy(`
 	ntp_initrc_domtrans(dhcpc_t)
 	ntp_read_drift_files(dhcpc_t)
+	ntp_read_conf_files(dhcpc_t)
 ')
 
 optional_policy(`
@@ -287,6 +296,7 @@ allow ifconfig_t self:netlink_route_sock
 allow ifconfig_t self:netlink_xfrm_socket create_netlink_socket_perms;
 allow ifconfig_t self:tcp_socket { create ioctl };
 
+kernel_load_module(ifconfig_t)
 kernel_use_fds(ifconfig_t)
 kernel_read_system_state(ifconfig_t)
 kernel_read_network_state(ifconfig_t)
@@ -305,6 +315,8 @@ domain_use_interactive_fds(ifconfig_t)
 files_read_etc_files(ifconfig_t)
 files_read_etc_runtime_files(ifconfig_t)
 
+files_read_firmware_files(ifconfig_t)
+
 fs_getattr_xattr_fs(ifconfig_t)
 fs_search_auto_mountpoints(ifconfig_t)
 

[refpolicy] [PATCH v4] Update the dhcp client and ifconfig parts of the sysnetwork module

[Guido Trentalancia]

Update the sysnetwork module to add some permissions needed by
the dhcp client and ifconfig.

Create auxiliary interfaces in the ntp module.

The permission to execute restorecon/setfiles (required by the
dhclient-script script and granted in a previous version of this
patch) is not granted, as it does not break the script functioning.

Include revisions from Chris PeBenito.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
 policy/modules/contrib/ntp.if       |   19 +++++++++++++++++++
 policy/modules/system/sysnetwork.te |   13 ++++++++++++-
 2 files changed, 31 insertions(+), 1 deletion(-)

--- refpolicy-git-06082016-orig/policy/modules/contrib/ntp.if	2016-08-06 21:27:11.375094577 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/ntp.if	2016-08-08 23:09:34.553877178 +0200
@@ -101,6 +101,25 @@ interface(`ntp_initrc_domtrans',`
 
 ########################################
 ## <summary>
+##      Read ntp conf files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`ntp_read_conf_files',`
+	gen_require(`
+		type ntp_conf_t;
+	')
+
+	files_search_etc($1)
+	read_files_pattern($1, ntp_conf_t, ntp_conf_t)
+')
+
+########################################
+## <summary>
 ##	Read ntp drift files.
 ## </summary>
 ## <param name="domain">
--- refpolicy-git-06082016-orig/policy/modules/system/sysnetwork.te	2016-08-06 21:26:43.309774442 +0200
+++ refpolicy-git-06082016/policy/modules/system/sysnetwork.te	2016-08-13 15:38:53.272358155 +0200
@@ -50,7 +50,7 @@ ifdef(`distro_debian',`
 allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service setpcap sys_nice sys_resource sys_tty_config };
 dontaudit dhcpc_t self:capability { sys_tty_config sys_ptrace };
 # for access("/etc/bashrc", X_OK) on Red Hat
-dontaudit dhcpc_t self:capability { dac_read_search sys_module };
+dontaudit dhcpc_t self:capability { dac_read_search };
 allow dhcpc_t self:process { getsched getcap setcap setfscreate ptrace signal_perms };
 
 allow dhcpc_t self:fifo_file rw_fifo_file_perms;
@@ -77,13 +77,20 @@ files_pid_filetrans(dhcpc_t, dhcpc_var_r
 sysnet_manage_config(dhcpc_t)
 files_etc_filetrans(dhcpc_t, net_conf_t, file)
 
+# manage files in /var
+files_manage_var_files(dhcpc_t)
+
 # create temp files
 manage_dirs_pattern(dhcpc_t, dhcpc_tmp_t, dhcpc_tmp_t)
 manage_files_pattern(dhcpc_t, dhcpc_tmp_t, dhcpc_tmp_t)
 files_tmp_filetrans(dhcpc_t, dhcpc_tmp_t, { file dir })
 
+# search cgroup directories
+fs_search_cgroup_dirs(dhcpc_t)
+
 can_exec(dhcpc_t, dhcpc_exec_t)
 
+kernel_load_module(dhcpc_t)
 kernel_read_system_state(dhcpc_t)
 kernel_read_network_state(dhcpc_t)
 kernel_search_network_sysctl(dhcpc_t)
@@ -225,6 +232,7 @@ optional_policy(`
 optional_policy(`
 	ntp_initrc_domtrans(dhcpc_t)
 	ntp_read_drift_files(dhcpc_t)
+	ntp_read_conf_files(dhcpc_t)
 ')
 
 optional_policy(`
@@ -287,6 +295,7 @@ allow ifconfig_t self:netlink_route_sock
 allow ifconfig_t self:netlink_xfrm_socket create_netlink_socket_perms;
 allow ifconfig_t self:tcp_socket { create ioctl };
 
+kernel_load_module(ifconfig_t)
 kernel_use_fds(ifconfig_t)
 kernel_read_system_state(ifconfig_t)
 kernel_read_network_state(ifconfig_t)
@@ -305,6 +314,8 @@ domain_use_interactive_fds(ifconfig_t)
 files_read_etc_files(ifconfig_t)
 files_read_etc_runtime_files(ifconfig_t)
 
+files_read_firmware_files(ifconfig_t)
+
 fs_getattr_xattr_fs(ifconfig_t)
 fs_search_auto_mountpoints(ifconfig_t)
 

[refpolicy] [PATCH v4] Update the dhcp client and ifconfig parts of the sysnetwork module

[Chris PeBenito]

On 08/13/16 09:44, Guido Trentalancia wrote:
> Update the sysnetwork module to add some permissions needed by
> the dhcp client and ifconfig.
>
> Create auxiliary interfaces in the ntp module.
>
> The permission to execute restorecon/setfiles (required by the
> dhclient-script script and granted in a previous version of this
> patch) is not granted, as it does not break the script functioning.
>
> Include revisions from Chris PeBenito.
>
[...]

> @@ -287,6 +295,7 @@ allow ifconfig_t self:netlink_route_sock
>  allow ifconfig_t self:netlink_xfrm_socket create_netlink_socket_perms;
>  allow ifconfig_t self:tcp_socket { create ioctl };
>
> +kernel_load_module(ifconfig_t)

I missed this earlier but am concerned with this change.  There is an 
open question on why this is needed when it has 
kernel_request_load_module() already (see "ifconfig loads kernel 
modules" thread from the beginning of the month).


> @@ -305,6 +314,8 @@ domain_use_interactive_fds(ifconfig_t)
>  files_read_etc_files(ifconfig_t)
>  files_read_etc_runtime_files(ifconfig_t)
>
> +files_read_firmware_files(ifconfig_t)

I still have issues with this (see other thread).


-- 
Chris PeBenito

[refpolicy] [PATCH v4] Update the dhcp client and ifconfig parts of the sysnetwork module

[guido guido]

Hello Chris.

> On 13th August 2016 at 16.13 Chris PeBenito <pebenito@ieee.org> wrote:
> 
> 
> On 08/13/16 09:44, Guido Trentalancia wrote:
> > Update the sysnetwork module to add some permissions needed by
> > the dhcp client and ifconfig.
> >
> > Create auxiliary interfaces in the ntp module.
> >
> > The permission to execute restorecon/setfiles (required by the
> > dhclient-script script and granted in a previous version of this
> > patch) is not granted, as it does not break the script functioning.
> >
> > Include revisions from Chris PeBenito.
> >
> [...]
> 
> > @@ -287,6 +295,7 @@ allow ifconfig_t self:netlink_route_sock
> >  allow ifconfig_t self:netlink_xfrm_socket create_netlink_socket_perms;
> >  allow ifconfig_t self:tcp_socket { create ioctl };
> >
> > +kernel_load_module(ifconfig_t)
> 
> I missed this earlier but am concerned with this change.  There is an 
> open question on why this is needed when it has 
> kernel_request_load_module() already (see "ifconfig loads kernel 
> modules" thread from the beginning of the month).

I cannot see the reason why dhcpc_t can call kernel_load_module(),
while the ifconfig_t domain cannot...

It's triggered, for example, by the following usage:

dhclient usb0

so, it believe it tries to load the module for the usb (or other kind
of) networking.

What do you say ?

> > @@ -305,6 +314,8 @@ domain_use_interactive_fds(ifconfig_t)
> >  files_read_etc_files(ifconfig_t)
> >  files_read_etc_runtime_files(ifconfig_t)
> >
> > +files_read_firmware_files(ifconfig_t)
> 
> I still have issues with this (see other thread).

I can remove the newly created firmware_t type and grant permissions to
read lib_t instead...

Regards,

Guido

[refpolicy] [PATCH v5] Update the dhcp client and ifconfig parts of the sysnetwork module

[Guido Trentalancia]

Update the sysnetwork module to add some permissions needed by
the dhcp client and ifconfig.

Create auxiliary interfaces in the ntp module.

The permission to execute restorecon/setfiles (required by the
dhclient-script script and granted in a previous version of this
patch) is not granted, as it does not break the script functioning.

Include revisions from Chris PeBenito.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
 policy/modules/contrib/ntp.if       |   19 +++++++++++++++++++
 policy/modules/system/sysnetwork.te |   13 ++++++++++++-
 2 files changed, 31 insertions(+), 1 deletion(-)

--- refpolicy-git-06082016-orig/policy/modules/contrib/ntp.if	2016-08-06
21:27:11.375094577 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/ntp.if	2016-08-08
23:09:34.553877178 +0200
@@ -101,6 +101,25 @@ interface(`ntp_initrc_domtrans',`
 
 ########################################
 ## <summary>
+##      Read ntp conf files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`ntp_read_conf_files',`
+	gen_require(`
+		type ntp_conf_t;
+	')
+
+	files_search_etc($1)
+	read_files_pattern($1, ntp_conf_t, ntp_conf_t)
+')
+
+########################################
+## <summary>
 ##	Read ntp drift files.
 ## </summary>
 ## <param name="domain">
--- refpolicy-git-06082016-orig/policy/modules/system/sysnetwork.te	2016-08-06
21:26:43.309774442 +0200
+++ refpolicy-git-06082016/policy/modules/system/sysnetwork.te	2016-08-13
23:38:42.816761522 +0200
@@ -50,7 +50,7 @@ ifdef(`distro_debian',`
 allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw
net_bind_service setpcap sys_nice sys_resource sys_tty_config };
 dontaudit dhcpc_t self:capability { sys_tty_config sys_ptrace };
 # for access("/etc/bashrc", X_OK) on Red Hat
-dontaudit dhcpc_t self:capability { dac_read_search sys_module };
+dontaudit dhcpc_t self:capability { dac_read_search };
 allow dhcpc_t self:process { getsched getcap setcap setfscreate ptrace
signal_perms };
 
 allow dhcpc_t self:fifo_file rw_fifo_file_perms;
@@ -77,13 +77,20 @@ files_pid_filetrans(dhcpc_t, dhcpc_var_r
 sysnet_manage_config(dhcpc_t)
 files_etc_filetrans(dhcpc_t, net_conf_t, file)
 
+# manage files in /var
+files_manage_var_files(dhcpc_t)
+
 # create temp files
 manage_dirs_pattern(dhcpc_t, dhcpc_tmp_t, dhcpc_tmp_t)
 manage_files_pattern(dhcpc_t, dhcpc_tmp_t, dhcpc_tmp_t)
 files_tmp_filetrans(dhcpc_t, dhcpc_tmp_t, { file dir })
 
+# search cgroup directories
+fs_search_cgroup_dirs(dhcpc_t)
+
 can_exec(dhcpc_t, dhcpc_exec_t)
 
+kernel_load_module(dhcpc_t)
 kernel_read_system_state(dhcpc_t)
 kernel_read_network_state(dhcpc_t)
 kernel_search_network_sysctl(dhcpc_t)
@@ -225,6 +232,7 @@ optional_policy(`
 optional_policy(`
 	ntp_initrc_domtrans(dhcpc_t)
 	ntp_read_drift_files(dhcpc_t)
+	ntp_read_conf_files(dhcpc_t)
 ')
 
 optional_policy(`

[refpolicy] [PATCH v4] Update the dhcp client and ifconfig parts of the sysnetwork module

[Chris PeBenito]

On 08/13/16 12:15, guido guido wrote:
> Hello Chris.
>
>> On 13th August 2016 at 16.13 Chris PeBenito <pebenito@ieee.org> wrote:
>>
>>
>> On 08/13/16 09:44, Guido Trentalancia wrote:
>>> Update the sysnetwork module to add some permissions needed by
>>> the dhcp client and ifconfig.
>>>
>>> Create auxiliary interfaces in the ntp module.
>>>
>>> The permission to execute restorecon/setfiles (required by the
>>> dhclient-script script and granted in a previous version of this
>>> patch) is not granted, as it does not break the script functioning.
>>>
>>> Include revisions from Chris PeBenito.
>>>
>> [...]
>>
>>> @@ -287,6 +295,7 @@ allow ifconfig_t self:netlink_route_sock
>>>  allow ifconfig_t self:netlink_xfrm_socket create_netlink_socket_perms;
>>>  allow ifconfig_t self:tcp_socket { create ioctl };
>>>
>>> +kernel_load_module(ifconfig_t)
>>
>> I missed this earlier but am concerned with this change.  There is an
>> open question on why this is needed when it has
>> kernel_request_load_module() already (see "ifconfig loads kernel
>> modules" thread from the beginning of the month).
>
> I cannot see the reason why dhcpc_t can call kernel_load_module(),
> while the ifconfig_t domain cannot...
>
> It's triggered, for example, by the following usage:
>
> dhclient usb0
>
> so, it believe it tries to load the module for the usb (or other kind
> of) networking.
>
> What do you say ?

I don't see permission for dhcpc_t to load kernel modules in refpolicy. 
I do see kernel_request_load_module(dhcpc_t), which ifconfig_t has too.

-- 
Chris PeBenito

[refpolicy] [PATCH v6] Update the dhcp client part of the sysnetwork module

[Guido Trentalancia]

Update the sysnetwork module to add some permissions needed by
the dhcp client (another separate patch makes changes to the
ifconfig part).

Create auxiliary interfaces in the ntp module.

The permission to execute restorecon/setfiles (required by the
dhclient-script script and granted in a previous version of this
patch) is not granted, as it does not break the script functioning.

Include revisions from Chris PeBenito.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
 policy/modules/contrib/ntp.if       |   19 +++++++++++++++++++
 policy/modules/system/sysnetwork.te |   10 ++++++++++
 2 files changed, 29 insertions(+)

--- refpolicy-git-06082016-orig/policy/modules/contrib/ntp.if	2016-08-06 21:27:11.375094577 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/ntp.if	2016-08-08 23:09:34.553877178 +0200
@@ -101,6 +101,25 @@ interface(`ntp_initrc_domtrans',`
 
 ########################################
 ## <summary>
+##      Read ntp conf files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`ntp_read_conf_files',`
+	gen_require(`
+		type ntp_conf_t;
+	')
+
+	files_search_etc($1)
+	read_files_pattern($1, ntp_conf_t, ntp_conf_t)
+')
+
+########################################
+## <summary>
 ##	Read ntp drift files.
 ## </summary>
 ## <param name="domain">
--- refpolicy-git-06082016-orig/policy/modules/system/sysnetwork.te	2016-08-06 21:26:43.309774442 +0200
+++ refpolicy-git-06082016/policy/modules/system/sysnetwork.te	2016-08-14 20:17:19.170766644 +0200
@@ -77,11 +77,17 @@ files_pid_filetrans(dhcpc_t, dhcpc_var_r
 sysnet_manage_config(dhcpc_t)
 files_etc_filetrans(dhcpc_t, net_conf_t, file)
 
+# manage files in /var
+files_manage_var_files(dhcpc_t)
+
 # create temp files
 manage_dirs_pattern(dhcpc_t, dhcpc_tmp_t, dhcpc_tmp_t)
 manage_files_pattern(dhcpc_t, dhcpc_tmp_t, dhcpc_tmp_t)
 files_tmp_filetrans(dhcpc_t, dhcpc_tmp_t, { file dir })
 
+# search cgroup directories
+fs_search_cgroup_dirs(dhcpc_t)
+
 can_exec(dhcpc_t, dhcpc_exec_t)
 
 kernel_read_system_state(dhcpc_t)
@@ -225,6 +231,7 @@ optional_policy(`
 optional_policy(`
 	ntp_initrc_domtrans(dhcpc_t)
 	ntp_read_drift_files(dhcpc_t)
+	ntp_read_conf_files(dhcpc_t)
 ')
 
 optional_policy(`

[refpolicy] [PATCH v6] Update the dhcp client part of the sysnetwork module

[Chris PeBenito]

On 08/14/16 14:27, Guido Trentalancia wrote:
> Update the sysnetwork module to add some permissions needed by
> the dhcp client (another separate patch makes changes to the
> ifconfig part).
>
> Create auxiliary interfaces in the ntp module.
>
> The permission to execute restorecon/setfiles (required by the
> dhclient-script script and granted in a previous version of this
> patch) is not granted, as it does not break the script functioning.
>
> Include revisions from Chris PeBenito.


Merged, though I rearranged some lines.


> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> ---
>  policy/modules/contrib/ntp.if       |   19 +++++++++++++++++++
>  policy/modules/system/sysnetwork.te |   10 ++++++++++
>  2 files changed, 29 insertions(+)
>
> --- refpolicy-git-06082016-orig/policy/modules/contrib/ntp.if	2016-08-06 21:27:11.375094577 +0200
> +++ refpolicy-git-06082016/policy/modules/contrib/ntp.if	2016-08-08 23:09:34.553877178 +0200
> @@ -101,6 +101,25 @@ interface(`ntp_initrc_domtrans',`
>
>  ########################################
>  ## <summary>
> +##      Read ntp conf files.
> +## </summary>
> +## <param name="domain">
> +##      <summary>
> +##      Domain allowed access.
> +##      </summary>
> +## </param>
> +#
> +interface(`ntp_read_conf_files',`
> +	gen_require(`
> +		type ntp_conf_t;
> +	')
> +
> +	files_search_etc($1)
> +	read_files_pattern($1, ntp_conf_t, ntp_conf_t)
> +')
> +
> +########################################
> +## <summary>
>  ##	Read ntp drift files.
>  ## </summary>
>  ## <param name="domain">
> --- refpolicy-git-06082016-orig/policy/modules/system/sysnetwork.te	2016-08-06 21:26:43.309774442 +0200
> +++ refpolicy-git-06082016/policy/modules/system/sysnetwork.te	2016-08-14 20:17:19.170766644 +0200
> @@ -77,11 +77,17 @@ files_pid_filetrans(dhcpc_t, dhcpc_var_r
>  sysnet_manage_config(dhcpc_t)
>  files_etc_filetrans(dhcpc_t, net_conf_t, file)
>
> +# manage files in /var
> +files_manage_var_files(dhcpc_t)
> +
>  # create temp files
>  manage_dirs_pattern(dhcpc_t, dhcpc_tmp_t, dhcpc_tmp_t)
>  manage_files_pattern(dhcpc_t, dhcpc_tmp_t, dhcpc_tmp_t)
>  files_tmp_filetrans(dhcpc_t, dhcpc_tmp_t, { file dir })
>
> +# search cgroup directories
> +fs_search_cgroup_dirs(dhcpc_t)
> +
>  can_exec(dhcpc_t, dhcpc_exec_t)
>
>  kernel_read_system_state(dhcpc_t)
> @@ -225,6 +231,7 @@ optional_policy(`
>  optional_policy(`
>  	ntp_initrc_domtrans(dhcpc_t)
>  	ntp_read_drift_files(dhcpc_t)
> +	ntp_read_conf_files(dhcpc_t)
>  ')
>
>  optional_policy(`
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>


-- 
Chris PeBenito