[refpolicy] [PATCH 2/3] Allow iw to create generic netlink sockets

Christopher J. PeBenito cpebenito at tresys.com
Thu Oct 23 12:13:22 UTC 2014


On 10/18/2014 9:30 AM, Nicolas Iooss wrote:
> iw uses generic netlink socket to configure WiFi properties.  For
> example, "strace iw dev wlan0 set power_save on" outputs:
> 
>     socket(PF_NETLINK, SOCK_RAW|SOCK_CLOEXEC, NETLINK_GENERIC) = 3
>     setsockopt(3, SOL_SOCKET, SO_SNDBUF, [32768], 4) = 0
>     setsockopt(3, SOL_SOCKET, SO_RCVBUF, [32768], 4) = 0
>     bind(3, {sa_family=AF_NETLINK, pid=7836, groups=00000000}, 12) = 0
> 
> Some AVC denials are reported in audit.log:
> 
>     type=AVC msg=audit(1408829044.820:486): avc:  denied  { create } for
>     pid=5950 comm="iw" scontext=system_u:system_r:ifconfig_t
>     tcontext=system_u:system_r:ifconfig_t tclass=netlink_socket
>     permissive=1
>     type=AVC msg=audit(1408829044.820:487): avc:  denied  { setopt } for
>     pid=5950 comm="iw" scontext=system_u:system_r:ifconfig_t
>     tcontext=system_u:system_r:ifconfig_t tclass=netlink_socket
>     permissive=1
>     type=AVC msg=audit(1408829044.820:488): avc:  denied  { bind } for
>     pid=5950 comm="iw" scontext=system_u:system_r:ifconfig_t
>     tcontext=system_u:system_r:ifconfig_t tclass=netlink_socket
>     permissive=1
>     type=AVC msg=audit(1408829044.820:489): avc:  denied  { getattr }
>     for  pid=5950 comm="iw" scontext=system_u:system_r:ifconfig_t
>     tcontext=system_u:system_r:ifconfig_t tclass=netlink_socket
>     permissive=1
>     type=AVC msg=audit(1408829044.820:490): avc:  denied  { write } for
>     pid=5950 comm="iw" scontext=system_u:system_r:ifconfig_t
>     tcontext=system_u:system_r:ifconfig_t tclass=netlink_socket
>     permissive=1
> 
> Allowing ifconfig_t to create generic netlink sockets fixes this.

Merged.


> (On a side note, the AVC denials were caused by TLP, a tool which
> applies "laptop configuration" when switching between AC and battery
> with the help of a udev script)
> ---
>  policy/modules/system/sysnetwork.te | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
> index 0a3ea3d979b9..bcba404cd38e 100644
> --- a/policy/modules/system/sysnetwork.te
> +++ b/policy/modules/system/sysnetwork.te
> @@ -274,6 +274,7 @@ allow ifconfig_t self:msg { send receive };
>  allow ifconfig_t self:udp_socket create_socket_perms;
>  # for /sbin/ip
>  allow ifconfig_t self:packet_socket create_socket_perms;
> +allow ifconfig_t self:netlink_socket create_socket_perms;
>  allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
>  allow ifconfig_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_read };
>  allow ifconfig_t self:tcp_socket { create ioctl };
> 

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com


More information about the refpolicy mailing list