1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
|
From d1c159d4400722e783d12cc3684c1cf15004f7a9 Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@windriver.com>
Date: Thu, 24 Sep 2020 14:05:52 +0800
Subject: [PATCH] policy/modules/system/sysnetwork: support priviledge
separation for dhcpcd
Fixes:
avc: denied { sys_chroot } for pid=332 comm="dhcpcd" capability=18
scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=capability
permissive=0
avc: denied { setgid } for pid=332 comm="dhcpcd" capability=6
scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=capability
permissive=0
avc: denied { setuid } for pid=332 comm="dhcpcd" capability=7
scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=capability
permissive=0
avc: denied { setrlimit } for pid=332 comm="dhcpcd"
scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=process
permissive=0
avc: denied { create } for pid=330 comm="dhcpcd"
scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tclass=netlink_kobject_uevent_socket permissive=0
avc: denied { setopt } for pid=330 comm="dhcpcd"
scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tclass=netlink_kobject_uevent_socket permissive=0
avc: denied { bind } for pid=330 comm="dhcpcd"
scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tclass=netlink_kobject_uevent_socket permissive=0
avc: denied { getattr } for pid=330 comm="dhcpcd"
scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tclass=netlink_kobject_uevent_socket permissive=0
avc: denied { read } for pid=330 comm="dhcpcd" name="n1" dev="tmpfs"
ino=15616 scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tcontext=system_u:object_r:udev_runtime_t:s0 tclass=file permissive=0
avc: denied { open } for pid=330 comm="dhcpcd"
path="/run/udev/data/n1" dev="tmpfs" ino=15616
scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tcontext=system_u:object_r:udev_runtime_t:s0 tclass=file permissive=0
avc: denied { getattr } for pid=330 comm="dhcpcd"
path="/run/udev/data/n1" dev="tmpfs" ino=15616
scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tcontext=system_u:object_r:udev_runtime_t:s0 tclass=file permissive=0
avc: denied { connectto } for pid=1600 comm="dhcpcd"
path="/run/dhcpcd/unpriv.sock"
scontext=root:sysadm_r:dhcpc_t:s0-s15:c0.c1023
tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tclass=unix_stream_socket permissive=0
avc: denied { kill } for pid=314 comm="dhcpcd" capability=5
scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=capability
permissive=0
avc: denied { getattr } for pid=300 comm="dhcpcd"
path="net:[4026532008]" dev="nsfs" ino=4026532008
scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tcontext=system_u:object_r:nsfs_t:s0 tclass=file permissive=0
Upstream-Status: Inappropriate [embedded specific]
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
policy/modules/system/sysnetwork.te | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 4c317cc4c..05a9a52b8 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -58,10 +58,11 @@ ifdef(`distro_debian',`
# DHCP client local policy
#
allow dhcpc_t self:capability { dac_override fsetid net_admin net_bind_service net_raw setpcap sys_nice sys_resource sys_tty_config };
+allow dhcpc_t self:capability { setgid setuid sys_chroot kill };
dontaudit dhcpc_t self:capability { sys_ptrace sys_tty_config };
# for access("/etc/bashrc", X_OK) on Red Hat
dontaudit dhcpc_t self:capability { dac_read_search sys_module };
-allow dhcpc_t self:process { getsched getcap setcap setfscreate ptrace signal_perms };
+allow dhcpc_t self:process { getsched getcap setcap setfscreate ptrace signal_perms setrlimit };
allow dhcpc_t self:fifo_file rw_fifo_file_perms;
allow dhcpc_t self:tcp_socket create_stream_socket_perms;
@@ -69,8 +70,10 @@ allow dhcpc_t self:udp_socket create_socket_perms;
allow dhcpc_t self:packet_socket create_socket_perms;
allow dhcpc_t self:netlink_generic_socket create_socket_perms;
allow dhcpc_t self:netlink_route_socket create_netlink_socket_perms;
+allow dhcpc_t self:netlink_kobject_uevent_socket create_socket_perms;
allow dhcpc_t self:rawip_socket create_socket_perms;
allow dhcpc_t self:unix_dgram_socket { create_socket_perms sendto };
+allow dhcpc_t self:unix_stream_socket connectto;
allow dhcpc_t dhcp_etc_t:dir list_dir_perms;
read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
@@ -146,6 +149,7 @@ files_manage_var_files(dhcpc_t)
fs_getattr_all_fs(dhcpc_t)
fs_search_auto_mountpoints(dhcpc_t)
fs_search_cgroup_dirs(dhcpc_t)
+fs_read_nsfs_files(dhcpc_t)
term_dontaudit_use_all_ttys(dhcpc_t)
term_dontaudit_use_all_ptys(dhcpc_t)
@@ -181,6 +185,7 @@ ifdef(`init_systemd',`
init_stream_connect(dhcpc_t)
init_get_all_units_status(dhcpc_t)
init_search_units(dhcpc_t)
+ udev_read_runtime_files(dhcpc_t)
')
optional_policy(`
--
2.17.1
|
