SELinux sysnetwork policy update?

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

SELinux sysnetwork policy update?

Robert Sharp

Just updated all my SELinux policies to 20161023-r1 as they are now stable, which undid one little fix, so I thought I would mention it.

Sysnetwork.te does not cover the possibility that dhcpcd may run resolvconf from the dhcpc_script_t domain, which it seems is how my dhcpcd works. This is fixed by adding:

optional_policy(`
        resolvconf_client_domain(dhcpc_script_t)
    ')

to the dhcpc_script policy (end of the file). It seems like a reasonable addition, given the same policy applies to the dhcpc_t domain.

Not sure if this sort of proposal should be filed as a bug or just raised here?

Robert Sharp

Reply | Threaded
Open this post in threaded view
|

Re: SELinux sysnetwork policy update?

Jason Zaman


On 9 Dec 2016 16:29, "Robert Sharp" <[hidden email]> wrote:

Just updated all my SELinux policies to 20161023-r1 as they are now stable, which undid one little fix, so I thought I would mention it.

Sysnetwork.te does not cover the possibility that dhcpcd may run resolvconf from the dhcpc_script_t domain, which it seems is how my dhcpcd works. This is fixed by adding:

optional_policy(`
        resolvconf_client_domain(dhcpc_script_t)
    ')

to the dhcpc_script policy (end of the file). It seems like a reasonable addition, given the same policy applies to the dhcpc_t domain.

Not sure if this sort of proposal should be filed as a bug or just raised here?

Robert Sharp

Can you file a bug on bugs.gentoo.org and say this and also list the AVCs you get from audit.log?

I have already prepared the -r2 release just haven't pushed it to the repo yet so I probably won't add to that cuz I don't want to do it last min. The -r2 policies will be out as soon as I figure out why the 4.8 kernel isn't booting for me. 

Thanks!
Jason

Reply | Threaded
Open this post in threaded view
|

Re: SELinux sysnetwork policy update?

Robert Sharp
On 10/12/16 06:19, Jason Zaman wrote:


On 9 Dec 2016 16:29, "Robert Sharp" <[hidden email]> wrote:

Just updated all my SELinux policies to 20161023-r1 as they are now stable, which undid one little fix, so I thought I would mention it.

Sysnetwork.te does not cover the possibility that dhcpcd may run resolvconf from the dhcpc_script_t domain, which it seems is how my dhcpcd works. This is fixed by adding:

optional_policy(`
        resolvconf_client_domain(dhcpc_script_t)
    ')

to the dhcpc_script policy (end of the file). It seems like a reasonable addition, given the same policy applies to the dhcpc_t domain.

Not sure if this sort of proposal should be filed as a bug or just raised here?

Robert Sharp

Can you file a bug on bugs.gentoo.org and say this and also list the AVCs you get from audit.log?

I have already prepared the -r2 release just haven't pushed it to the repo yet so I probably won't add to that cuz I don't want to do it last min. The -r2 policies will be out as soon as I figure out why the 4.8 kernel isn't booting for me. 

Thanks!
Jason

Hi Jason,

Just filing the bug and I realise I did not save any AVCs relating to dhcpc_script_t, but only those for resolvconf itself. It would be useful to include the former but to do that I need to unwind my locally patched policy. I know I can use semodule -r to remove the patched module, but how do I get the original policy re-instated given it is part of the core? I guess I could create another local module from my git clone and load that?

Thanks,

Robert