[meta-selinux][PATCH 0/1] refpolicy: allow dhclient to bind unreserved_port_t socket

[meta-selinux][PATCH 0/1] refpolicy: allow dhclient to bind unreserved_port_t socket

[rongqing.li]

From: Roy Li <rongqing.li@windriver.com>

The following changes since commit 13266999932edaa334b24c18c79815eb19559b86:

  refpolicy: Allow ping to get/set capabilities (2014-01-28 16:41:59 +0800)

are available in the git repository at:

  git://git.pokylinux.org/poky-contrib roy/refpolicy-dhclient
  http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=roy/refpolicy-dhclient

Roy Li (1):
  refpolicy: allow dhclient to bind unreserved_port_t socket.

 .../poky-policy-allows-dhclient-to-bind.patch      |   43 ++++++++++++++++++++
 .../refpolicy/refpolicy_2.20130424.inc             |    1 +
 2 files changed, 44 insertions(+)
 create mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-allows-dhclient-to-bind.patch

-- 
1.7.10.4

[PATCH 1/1] refpolicy: allow dhclient to bind unreserved_port_t socket.

[rongqing.li]

From: Roy Li <rongqing.li@windriver.com>

once dhclient enables dns support, it binds anyone port which is not reserved.

Signed-off-by: Roy Li <rongqing.li@windriver.com>
---
 .../poky-policy-allows-dhclient-to-bind.patch      |   43 ++++++++++++++++++++
 .../refpolicy/refpolicy_2.20130424.inc             |    1 +
 2 files changed, 44 insertions(+)
 create mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-allows-dhclient-to-bind.patch

diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-allows-dhclient-to-bind.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-allows-dhclient-to-bind.patch
new file mode 100644
index 0000000..7118e8e
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-allows-dhclient-to-bind.patch
@@ -0,0 +1,43 @@
+From a9502eba0fef095ef6a2ff42bac020b25f7e384a Mon Sep 17 00:00:00 2001
+From: Roy Li <rongqing.li@windriver.com>
+Date: Mon, 10 Feb 2014 08:40:04 +0800
+Subject: [PATCH] allows dhclient to bind unreserved_port_t socket
+
+Upstream-Status: Pending
+
+Once dhclient enables dns supports, the functions dns_client_createx will
+be called, it will find anyone port which is unreserved and unused.
+
+Call backtrace:
+    bind ()
+    isc__socket_bind ()
+    open_socket ()
+    get_udpsocket ()
+    dispatch_createudp ()
+    dns_dispatch_getudp ()
+    getudpdispatch ()
+    dns_client_createx ()
+    dhcp_context_create ()
+    main ()
+
+Signed-off-by: Roy Li <rongqing.li@windriver.com>
+---
+ policy/modules/system/sysnetwork.te |    2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
+index 900b770..b554820 100644
+--- a/policy/modules/system/sysnetwork.te
++++ b/policy/modules/system/sysnetwork.te
+@@ -73,6 +73,8 @@ files_pid_filetrans(dhcpc_t, dhcpc_var_run_t, { file dir })
+ sysnet_manage_config(dhcpc_t)
+ files_etc_filetrans(dhcpc_t, net_conf_t, file)
+ 
++corenet_udp_bind_all_unreserved_ports(dhcpc_t)
++
+ # create temp files
+ manage_dirs_pattern(dhcpc_t, dhcpc_tmp_t, dhcpc_tmp_t)
+ manage_files_pattern(dhcpc_t, dhcpc_tmp_t, dhcpc_tmp_t)
+-- 
+1.7.10.4
+
diff --git a/recipes-security/refpolicy/refpolicy_2.20130424.inc b/recipes-security/refpolicy/refpolicy_2.20130424.inc
index 4b618b2..f93361a 100644
--- a/recipes-security/refpolicy/refpolicy_2.20130424.inc
+++ b/recipes-security/refpolicy/refpolicy_2.20130424.inc
@@ -50,6 +50,7 @@ SRC_URI += "file://poky-policy-fix-xconsole_device_t-as-a-dev_node.patch \
             file://poky-policy-fix-seutils-manage-config-files.patch \
             file://poky-policy-fix-setfiles-statvfs-get-file-count.patch \
             file://poky-policy-fix-dmesg-to-use-dev-kmsg.patch \
+            file://poky-policy-allows-dhclient-to-bind.patch \
            "
 
 # Backport from upstream
-- 
1.7.10.4

Re: [meta-selinux][PATCH 0/1] refpolicy: allow dhclient to bind unreserved_port_t socket

[Rongqing Li]

Please drop this one, I find the fix has been in upstream, and will backport
it.

On 02/10/2014 10:28 AM, rongqing.li@windriver.com wrote:
> From: Roy Li <rongqing.li@windriver.com>
>
> The following changes since commit 13266999932edaa334b24c18c79815eb19559b86:
>
>    refpolicy: Allow ping to get/set capabilities (2014-01-28 16:41:59 +0800)
>
> are available in the git repository at:
>
>    git://git.pokylinux.org/poky-contrib roy/refpolicy-dhclient
>    http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=roy/refpolicy-dhclient
>
> Roy Li (1):
>    refpolicy: allow dhclient to bind unreserved_port_t socket.
>
>   .../poky-policy-allows-dhclient-to-bind.patch      |   43 ++++++++++++++++++++
>   .../refpolicy/refpolicy_2.20130424.inc             |    1 +
>   2 files changed, 44 insertions(+)
>   create mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-allows-dhclient-to-bind.patch
>

-- 
Best Reagrds,
Roy | RongQing Li