[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/

[Sven Vermeulen]

commit:     3805de84f208d3e85057eab898de864af6128558
Author:     Nicolas Iooss <nicolas.iooss <AT> m4x <DOT> org>
AuthorDate: Sat Oct 18 13:30:21 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Oct 31 15:26:27 2014 +0000
URL:        
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=3805de84

Allow iw to create generic netlink sockets

iw uses generic netlink socket to configure WiFi properties.  For
example, "strace iw dev wlan0 set power_save on" outputs:

    socket(PF_NETLINK, SOCK_RAW|SOCK_CLOEXEC, NETLINK_GENERIC) = 3
    setsockopt(3, SOL_SOCKET, SO_SNDBUF, [32768], 4) = 0
    setsockopt(3, SOL_SOCKET, SO_RCVBUF, [32768], 4) = 0
    bind(3, {sa_family=AF_NETLINK, pid=7836, groups=00000000}, 12) = 0

Some AVC denials are reported in audit.log:

    type=AVC msg=audit(1408829044.820:486): avc:  denied  { create } for
    pid=5950 comm="iw" scontext=system_u:system_r:ifconfig_t
    tcontext=system_u:system_r:ifconfig_t tclass=netlink_socket
    permissive=1
    type=AVC msg=audit(1408829044.820:487): avc:  denied  { setopt } for
    pid=5950 comm="iw" scontext=system_u:system_r:ifconfig_t
    tcontext=system_u:system_r:ifconfig_t tclass=netlink_socket
    permissive=1
    type=AVC msg=audit(1408829044.820:488): avc:  denied  { bind } for
    pid=5950 comm="iw" scontext=system_u:system_r:ifconfig_t
    tcontext=system_u:system_r:ifconfig_t tclass=netlink_socket
    permissive=1
    type=AVC msg=audit(1408829044.820:489): avc:  denied  { getattr }
    for  pid=5950 comm="iw" scontext=system_u:system_r:ifconfig_t
    tcontext=system_u:system_r:ifconfig_t tclass=netlink_socket
    permissive=1
    type=AVC msg=audit(1408829044.820:490): avc:  denied  { write } for
    pid=5950 comm="iw" scontext=system_u:system_r:ifconfig_t
    tcontext=system_u:system_r:ifconfig_t tclass=netlink_socket
    permissive=1

Allowing ifconfig_t to create generic netlink sockets fixes this.

(On a side note, the AVC denials were caused by TLP, a tool which
applies "laptop configuration" when switching between AC and battery
with the help of a udev script)

---
 policy/modules/system/sysnetwork.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/sysnetwork.te 
b/policy/modules/system/sysnetwork.te
index cb0922d..b95de37 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -276,6 +276,7 @@ allow ifconfig_t self:msg { send receive };
 allow ifconfig_t self:udp_socket create_socket_perms;
 # for /sbin/ip
 allow ifconfig_t self:packet_socket create_socket_perms;
+allow ifconfig_t self:netlink_socket create_socket_perms;
 allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
 allow ifconfig_t self:netlink_xfrm_socket { create_netlink_socket_perms 
nlmsg_read };
 allow ifconfig_t self:tcp_socket { create ioctl };