1 |
commit: 7e809e87c1da6253cba08a8d8603f78be8b52b64 |
2 |
Author: Yi Zhao <yi.zhao <AT> windriver <DOT> com> |
3 |
AuthorDate: Tue Sep 15 02:57:58 2020 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Sun Oct 11 21:07:46 2020 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7e809e87 |
7 |
|
8 |
sysnet: allow dhcpcd to create socket file |
9 |
|
10 |
The dhcpcd needs to create socket file under /run/dhcpcd directory. |
11 |
|
12 |
Fixes: |
13 |
AVC avc: denied { create } for pid=331 comm="dhcpcd" name="eth0.sock" |
14 |
scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 |
15 |
tcontext=system_u:object_r:dhcpc_runtime_t:s0 tclass=sock_file |
16 |
permissive=0 |
17 |
|
18 |
AVC avc: denied { setattr } for pid=331 comm="dhcpcd" |
19 |
name="eth0.sock" dev="tmpfs" ino=19153 |
20 |
scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 |
21 |
tcontext=system_u:object_r:dhcpc_runtime_t:s0 tclass=sock_file |
22 |
permissive=0 |
23 |
|
24 |
AVC avc: denied { sendto } for pid=331 comm="dhcpcd" |
25 |
scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 |
26 |
tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 |
27 |
tclass=unix_dgram_socket permissive=0 |
28 |
|
29 |
Signed-off-by: Yi Zhao <yi.zhao <AT> windriver.com> |
30 |
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org> |
31 |
|
32 |
policy/modules/system/sysnetwork.te | 2 ++ |
33 |
1 file changed, 2 insertions(+) |
34 |
|
35 |
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te |
36 |
index 83389037..9099802e 100644 |
37 |
--- a/policy/modules/system/sysnetwork.te |
38 |
+++ b/policy/modules/system/sysnetwork.te |
39 |
@@ -62,6 +62,7 @@ allow dhcpc_t self:packet_socket create_socket_perms; |
40 |
allow dhcpc_t self:netlink_generic_socket create_socket_perms; |
41 |
allow dhcpc_t self:netlink_route_socket create_netlink_socket_perms; |
42 |
allow dhcpc_t self:rawip_socket create_socket_perms; |
43 |
+allow dhcpc_t self:unix_dgram_socket { create_socket_perms sendto }; |
44 |
|
45 |
allow dhcpc_t dhcp_etc_t:dir list_dir_perms; |
46 |
read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t) |
47 |
@@ -74,6 +75,7 @@ allow dhcpc_t dhcpc_state_t:file map; |
48 |
|
49 |
# create pid file |
50 |
manage_files_pattern(dhcpc_t, dhcpc_runtime_t, dhcpc_runtime_t) |
51 |
+manage_sock_files_pattern(dhcpc_t, dhcpc_runtime_t, dhcpc_runtime_t) |
52 |
create_dirs_pattern(dhcpc_t, dhcpc_runtime_t, dhcpc_runtime_t) |
53 |
# Create /var/run/dhcpc directory (state directory), needed for /run/dhcpc |
54 |
# Gets done through the dhcpcd-hooks |