[refpolicy] [PATCH 1/2] Update for pump DHCP client

Sven Vermeulen sven.vermeulen at siphos.be
Tue May 7 14:37:05 EDT 2013

When invoking the pump DHCP client, the client immediately aborts. No errors are
shown, but the process isn't running and the returncode is 1.

The denials reveal that pump wants to create a socket in /var/run (called
pump.sock). After granting dhcpc_t the rights to manage dhcpc_var_run_t
sock_file's and introduce a files_pid_filetrans for sock_file, pump gives the
next failure:

~# pump -i eth0
failed to connect to localhost:bootpc: Connection refused

>From the denials, we get that pump requires "accept" on its own
unix_stream_socket, which iteratively expands to "accept listen connectto". Once
assigned, pump seems to work again.

Signed-off-by: Sven Vermeulen <sven.vermeulen at siphos.be>
 policy/modules/system/sysnetwork.te | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 11247e2..49c5dfe 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -54,6 +54,7 @@ allow dhcpc_t self:tcp_socket create_stream_socket_perms;
 allow dhcpc_t self:udp_socket create_socket_perms;
 allow dhcpc_t self:packet_socket create_socket_perms;
 allow dhcpc_t self:netlink_route_socket { create_socket_perms nlmsg_read nlmsg_write };
+allow dhcpc_t self:unix_stream_socket { accept listen connectto };
 allow dhcpc_t dhcp_etc_t:dir list_dir_perms;
 read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
@@ -64,9 +65,10 @@ manage_files_pattern(dhcpc_t, dhcpc_state_t, dhcpc_state_t)
 filetrans_pattern(dhcpc_t, dhcp_state_t, dhcpc_state_t, file)
 # create pid file
+allow dhcpc_t dhcpc_var_run_t:sock_file manage_sock_file_perms;
 manage_files_pattern(dhcpc_t, dhcpc_var_run_t, dhcpc_var_run_t)
 create_dirs_pattern(dhcpc_t, dhcpc_var_run_t, dhcpc_var_run_t)
-files_pid_filetrans(dhcpc_t, dhcpc_var_run_t, { file dir })
+files_pid_filetrans(dhcpc_t, dhcpc_var_run_t, { file dir sock_file })
 # Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files
 # in /etc created by dhcpcd will be labelled net_conf_t.

More information about the refpolicy mailing list