sysnetwork: fix privilege separation functionality of dhcpcd

Fixes:
dhcpcd[410]: ps_dropprivs: chroot: /var/lib/dhcpcd: Operation not permitted
dhcpcd[410]: failed to drop privileges: Operation not permitted
dhcpcd[264]: setrlimit RLIMIT_NOFILE: Permission denied
dhcpcd[264]: setrlimit RLIMIT_NPROC: Permission denied

avc:  denied  { sys_chroot } for  pid=332 comm="dhcpcd" capability=18
scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=capability
permissive=0

avc:  denied  { setgid } for  pid=332 comm="dhcpcd" capability=6
scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=capability
permissive=0

avc:  denied  { setuid } for  pid=332 comm="dhcpcd" capability=7
scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=capability
permissive=0

avc:  denied  { setrlimit } for  pid=332 comm="dhcpcd"
scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=process
permissive=0

avc:  denied  { getattr } for  pid=330 comm="dhcpcd"
scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tclass=netlink_kobject_uevent_socket permissive=0

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
This commit is contained in:
Yi Zhao 2020-09-24 14:05:52 +08:00
parent b1f16bf755
commit 77fd73e6b8

View File

@ -61,11 +61,11 @@ ifdef(`distro_debian',`
#
# DHCP client local policy
#
allow dhcpc_t self:capability { dac_override fsetid net_admin net_bind_service net_raw setpcap sys_nice sys_resource sys_tty_config };
allow dhcpc_t self:capability { dac_override fsetid net_admin net_bind_service net_raw setgid setpcap setuid sys_chroot sys_nice sys_resource sys_tty_config };
dontaudit dhcpc_t self:capability { sys_ptrace sys_tty_config };
# for access("/etc/bashrc", X_OK) on Red Hat
dontaudit dhcpc_t self:capability { dac_read_search sys_module };
allow dhcpc_t self:process { getsched getcap setcap setfscreate ptrace signal_perms };
allow dhcpc_t self:process { getsched getcap setcap setfscreate ptrace signal_perms setrlimit };
allow dhcpc_t self:cap_userns { net_bind_service };
allow dhcpc_t self:fifo_file rw_fifo_file_perms;
@ -149,6 +149,7 @@ files_getattr_generic_locks(dhcpc_t)
files_manage_var_files(dhcpc_t)
fs_getattr_all_fs(dhcpc_t)
fs_getattr_nsfs_files(dhcpc_t)
fs_search_auto_mountpoints(dhcpc_t)
fs_search_cgroup_dirs(dhcpc_t)