Re: [PATCH misc 3/3] networkmanager apt bootloader dpkg raid modutils tor devicekit dicts irqbalance policykit and postfix

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Thu, Jan 3, 2019 at 2:19 AM Russell Coker <russell@xxxxxxxxxxxx> wrote:
>
> On Thursday, 3 January 2019 11:14:06 AM AEDT Chris PeBenito wrote:
> > On 1/2/19 4:20 AM, Russell Coker wrote:
> > > Trivial stuff.
> > >
> > >
> > > Index: refpolicy-2.20180701/policy/modules/services/networkmanager.te
> > > ===================================================================
> > > --- refpolicy-2.20180701.orig/policy/modules/services/networkmanager.te
> > > +++ refpolicy-2.20180701/policy/modules/services/networkmanager.te
> > > @@ -57,6 +57,7 @@ allow NetworkManager_t self:tcp_socket {
> > >
> > >   allow NetworkManager_t self:tun_socket { create_socket_perms relabelfrom
> > >   relabelto }; allow NetworkManager_t self:packet_socket
> > >   create_socket_perms;
> > >   allow NetworkManager_t self:socket create_socket_perms;
> > >
> > > +allow NetworkManager_t self:rawip_socket { create setopt getattr write
> > > read };
> > This seems odd.  Can you provide any more details on this?
>
> From memory it appeared to be some sort of ping functionality built in.  Feel
> free to drop that section and apply the rest, I can do more testing on it if
> you like.

For information, I have a patch in my policy (that I never found the
time to send) which adds "allow NetworkManager_t self:rawip_socket
create_socket_perms;" with the following description:

    Allow NetworkManager to use raw IP sockets

    NetworkManager uses raw sockets to send and receive ICMPv6 paquets.

    "ss --raw -lpn" shows:

        State   Recv-Q  Send-Q  Local Address:Port  Peer Address:Port
        UNCONN  0       0       :::ipv6-icmp        :::*
        users:(("NetworkManager",pid=31474,fd=22))

    and audit.log reports AVC denials from NetworkManager for create,
    setopt, getattr and write in rawip_socket class.  Here is an excerpt for
    a denied write ("lport=58" means "ipv6-icmp", cf. /etc/protocols):

      type=AVC msg=audit(1414245913.538:386): avc:  denied  { write } for
      pid=31474 comm="NetworkManager" lport=58
      scontext=system_u:system_r:NetworkManager_t
      tcontext=system_u:system_r:NetworkManager_t tclass=rawip_socket

I agree with adding the required permissions to NetworkManager (ICMPv6
is used for Router Solicitation/Router Advertisement packets).

Nicolas
[Index of Archives]     [AMD Graphics]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux