Allow dhcp client to update kernel routing table plus context updates

This small patch updates the dhcpc_t (DHCP client domain) to allow updating the kernel's routing tables (as that is a primary purpose of a DHCP client) as well as interact with the kernel through the net_sysctls. Also, one client (dhcpcd) uses /var/run/dhcpcd so add that in the file context definition as well. Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2011-08-23 13:18:31 +02:00 · 2011-08-23 13:18:31 +02:00 · 4976982e85
parent 5802e169eb
commit 4976982e85
2 changed files with 3 additions and 1 deletions
--- a/policy/modules/system/sysnetwork.fc
+++ b/policy/modules/system/sysnetwork.fc
@ -60,6 +60,7 @@ ifdef(`distro_redhat',`
 /var/lib/wifiroamd(/.*)?	gen_context(system_u:object_r:dhcpc_state_t,s0)

 /var/run/dhclient.*	--	gen_context(system_u:object_r:dhcpc_var_run_t,s0)
+/var/run/dhcpcd(/.*)?		gen_context(system_u:object_r:dhcpc_var_run_t,s0)

 ifdef(`distro_gentoo',`
 /var/lib/dhcpc(/.*)?		gen_context(system_u:object_r:dhcpc_state_t,s0)
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@ -50,7 +50,7 @@ allow dhcpc_t self:fifo_file rw_fifo_file_perms;
 allow dhcpc_t self:tcp_socket create_stream_socket_perms;
 allow dhcpc_t self:udp_socket create_socket_perms;
 allow dhcpc_t self:packet_socket create_socket_perms;
-allow dhcpc_t self:netlink_route_socket { create_socket_perms nlmsg_read };
+allow dhcpc_t self:netlink_route_socket { create_socket_perms nlmsg_read nlmsg_write };

 allow dhcpc_t dhcp_etc_t:dir list_dir_perms;
 read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
@ -85,6 +85,7 @@ kernel_search_network_sysctl(dhcpc_t)
 kernel_read_kernel_sysctls(dhcpc_t)
 kernel_request_load_module(dhcpc_t)
 kernel_use_fds(dhcpc_t)
+kernel_rw_net_sysctls(dhcpc_t)

 corecmd_exec_bin(dhcpc_t)
 corecmd_exec_shell(dhcpc_t)