Mailing List Archive: SELinux sysnetwork policy update?

SELinux sysnetwork policy update?

Dec 9, 2016, 12:28 AM

Post #1 of 3 (896 views)

Just updated all my SELinux policies to 20161023-r1 as they are now
stable, which undid one little fix, so I thought I would mention it.

Sysnetwork.te does not cover the possibility that dhcpcd may run
resolvconf from the dhcpc_script_t domain, which it seems is how my
dhcpcd works. This is fixed by adding:

optional_policy(`
resolvconf_client_domain(dhcpc_script_t)
')

to the dhcpc_script policy (end of the file). It seems like a reasonable
addition, given the same policy applies to the dhcpc_t domain.

Not sure if this sort of proposal should be filed as a bug or just
raised here?

Robert Sharp

Re: SELinux sysnetwork policy update? [ In reply to ]

jason at perfinion

Dec 9, 2016, 10:19 PM

Post #2 of 3 (886 views)

Permalink

On 9 Dec 2016 16:29, "Robert Sharp" <selinux@sharp.homelinux.org> wrote:

Just updated all my SELinux policies to 20161023-r1 as they are now stable,
which undid one little fix, so I thought I would mention it.

Sysnetwork.te does not cover the possibility that dhcpcd may run resolvconf
from the dhcpc_script_t domain, which it seems is how my dhcpcd works. This
is fixed by adding:

optional_policy(`
resolvconf_client_domain(dhcpc_script_t)
')

to the dhcpc_script policy (end of the file). It seems like a reasonable
addition, given the same policy applies to the dhcpc_t domain.

Not sure if this sort of proposal should be filed as a bug or just raised
here?

Robert Sharp

Can you file a bug on bugs.gentoo.org and say this and also list the AVCs
you get from audit.log?

I have already prepared the -r2 release just haven't pushed it to the repo
yet so I probably won't add to that cuz I don't want to do it last min. The
-r2 policies will be out as soon as I figure out why the 4.8 kernel isn't
booting for me.

Thanks!
Jason

Re: SELinux sysnetwork policy update? [ In reply to ]

selinux at sharp

Dec 13, 2016, 12:29 AM

Post #3 of 3 (882 views)

Permalink

On 10/12/16 06:19, Jason Zaman wrote:
>
>
> On 9 Dec 2016 16:29, "Robert Sharp" <selinux@sharp.homelinux.org
> <mailto:selinux@sharp.homelinux.org>> wrote:
>
> Just updated all my SELinux policies to 20161023-r1 as they are
> now stable, which undid one little fix, so I thought I would
> mention it.
>
> Sysnetwork.te does not cover the possibility that dhcpcd may run
> resolvconf from the dhcpc_script_t domain, which it seems is how
> my dhcpcd works. This is fixed by adding:
>
> optional_policy(`
> resolvconf_client_domain(dhcpc_script_t)
> ')
>
> to the dhcpc_script policy (end of the file). It seems like a
> reasonable addition, given the same policy applies to the dhcpc_t
> domain.
>
> Not sure if this sort of proposal should be filed as a bug or just
> raised here?
>
> Robert Sharp
>
> Can you file a bug on bugs.gentoo.org <http://bugs.gentoo.org> and say
> this and also list the AVCs you get from audit.log?
>
> I have already prepared the -r2 release just haven't pushed it to the
> repo yet so I probably won't add to that cuz I don't want to do it
> last min. The -r2 policies will be out as soon as I figure out why the
> 4.8 kernel isn't booting for me.
>
> Thanks!
> Jason
>
Hi Jason,

Just filing the bug and I realise I did not save any AVCs relating to
dhcpc_script_t, but only those for resolvconf itself. It would be useful
to include the former but to do that I need to unwind my locally patched
policy. I know I can use semodule -r to remove the patched module, but
how do I get the original policy re-instated given it is part of the
core? I guess I could create another local module from my git clone and
load that?

Thanks,

Robert