Written by: Martin Orr Run ifup and ifdown as ifconfig_t Up until now they have just run as initrc_t, but if I use wpa-roam then wpasupplicant will run ifup and I don't want to set that up to transition to initrc_t. Perhaps I should give ifup its own domain. It doesn't need many extra rules, but some of them are big. I have labelled the if-up.d etc. scripts to run as initrc_t, which is of course the same domain as they ran as before (by default). These scripts can do a wide variety of different things, but this is a big privilege and they should probably have their own domain. /etc/network/if-up.d/wpasupplicant runs as wpa_cli_t, so need to allow transition to that domain. Index: policy/modules/system/sysnetwork.fc =================================================================== --- policy/modules/system/sysnetwork.fc.orig +++ policy/modules/system/sysnetwork.fc @@ -39,6 +39,8 @@ /sbin/dhcpcd -- gen_context(system_u:object_r:dhcpc_exec_t,s0) /sbin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0) /sbin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0) +/sbin/ifdown -- gen_context(system_u:object_r:ifconfig_exec_t,s0) +/sbin/ifup -- gen_context(system_u:object_r:ifconfig_exec_t,s0) /sbin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0) /sbin/ipx_configure -- gen_context(system_u:object_r:ifconfig_exec_t,s0) /sbin/ipx_interface -- gen_context(system_u:object_r:ifconfig_exec_t,s0) Index: policy/modules/system/sysnetwork.te =================================================================== --- policy/modules/system/sysnetwork.te.orig +++ policy/modules/system/sysnetwork.te @@ -263,6 +263,8 @@ allow ifconfig_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_read }; allow ifconfig_t self:tcp_socket { create ioctl }; +can_exec(ifconfig_t, ifconfig_exec_t) + kernel_use_fds(ifconfig_t) kernel_read_system_state(ifconfig_t) kernel_read_network_state(ifconfig_t) @@ -270,6 +272,9 @@ kernel_search_network_sysctl(ifconfig_t) kernel_rw_net_sysctls(ifconfig_t) +corecmd_exec_bin(ifconfig_t) +corecmd_exec_shell(ifconfig_t) + corenet_rw_tun_tap_dev(ifconfig_t) dev_read_sysfs(ifconfig_t) @@ -279,7 +284,7 @@ domain_use_interactive_fds(ifconfig_t) files_read_etc_files(ifconfig_t) -files_read_etc_runtime_files(ifconfig_t) +files_manage_etc_runtime_files(ifconfig_t) fs_getattr_xattr_fs(ifconfig_t) fs_search_auto_mountpoints(ifconfig_t) @@ -296,6 +301,7 @@ init_use_fds(ifconfig_t) init_use_script_ptys(ifconfig_t) +init_domtrans_script(ifconfig_t) libs_read_lib_files(ifconfig_t) @@ -307,6 +313,8 @@ seutil_use_runinit_fds(ifconfig_t) +sysnet_domtrans_dhcpc(ifconfig_t) + userdom_use_user_terminals(ifconfig_t) userdom_use_all_users_fds(ifconfig_t) @@ -337,6 +345,10 @@ ') optional_policy(` + networkmanager_cli_domtrans(ifconfig_t) +') + +optional_policy(` nis_use_ypbind(ifconfig_t) ') Index: policy/modules/system/init.fc =================================================================== --- policy/modules/system/init.fc.orig +++ policy/modules/system/init.fc @@ -9,6 +9,11 @@ /etc/rc\.d/init\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0) /etc/sysconfig/network-scripts/ifup-ipsec -- gen_context(system_u:object_r:initrc_exec_t,s0) +/etc/network/if-down.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0) +/etc/network/if-post-down.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0) +/etc/network/if-pre-up.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0) +/etc/network/if-up.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0) + /etc/X11/prefdm -- gen_context(system_u:object_r:initrc_exec_t,s0) ifdef(`distro_gentoo',`