From 4976982e857964e95787937515ce6054cc08df76 Mon Sep 17 00:00:00 2001 From: Sven Vermeulen Date: Tue, 23 Aug 2011 13:18:31 +0200 Subject: [PATCH] Allow dhcp client to update kernel routing table plus context updates This small patch updates the dhcpc_t (DHCP client domain) to allow updating the kernel's routing tables (as that is a primary purpose of a DHCP client) as well as interact with the kernel through the net_sysctls. Also, one client (dhcpcd) uses /var/run/dhcpcd so add that in the file context definition as well. Signed-off-by: Sven Vermeulen --- policy/modules/system/sysnetwork.fc | 1 + policy/modules/system/sysnetwork.te | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc index 694fd9471..f515dd5bc 100644 --- a/policy/modules/system/sysnetwork.fc +++ b/policy/modules/system/sysnetwork.fc @@ -60,6 +60,7 @@ ifdef(`distro_redhat',` /var/lib/wifiroamd(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0) /var/run/dhclient.* -- gen_context(system_u:object_r:dhcpc_var_run_t,s0) +/var/run/dhcpcd(/.*)? gen_context(system_u:object_r:dhcpc_var_run_t,s0) ifdef(`distro_gentoo',` /var/lib/dhcpc(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0) diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te index d716d3506..889b2a2c0 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -50,7 +50,7 @@ allow dhcpc_t self:fifo_file rw_fifo_file_perms; allow dhcpc_t self:tcp_socket create_stream_socket_perms; allow dhcpc_t self:udp_socket create_socket_perms; allow dhcpc_t self:packet_socket create_socket_perms; -allow dhcpc_t self:netlink_route_socket { create_socket_perms nlmsg_read }; +allow dhcpc_t self:netlink_route_socket { create_socket_perms nlmsg_read nlmsg_write }; allow dhcpc_t dhcp_etc_t:dir list_dir_perms; read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t) @@ -85,6 +85,7 @@ kernel_search_network_sysctl(dhcpc_t) kernel_read_kernel_sysctls(dhcpc_t) kernel_request_load_module(dhcpc_t) kernel_use_fds(dhcpc_t) +kernel_rw_net_sysctls(dhcpc_t) corecmd_exec_bin(dhcpc_t) corecmd_exec_shell(dhcpc_t)