commit 515a76b8962ac25d5d2c2c62d330ccec03f7723a
author dcashman <dcashman@google.com> Fri Feb 14 17:17:55 2014 -0800
committer dcashman <dcashman@google.com> Fri Feb 14 17:17:55 2014 -0800
tree e6436343504790a3adb58ceae750460516facc37
parent 5fa2a19f211240298a6a4b7d019ff4ebf716d525

Allow dhcp rawip_socket permissions.

dhcpcd opens a raw ip socket in ipv6rs_open() to use ICMPv6.  This
facility should be available for all devices which have a need to
use it.

Addresses the following denials:
<5>[   42.699877] type=1400 audit(1392332560.306:8): avc:  denied  { create } for  pid=983 comm="dhcpcd" scontext=u:r:dhcp:s0 tcontext=u:r:dhcp:s0 tclass=rawip_socket
<5>[   42.699993] type=1400 audit(1392332560.306:9): avc:  denied  { setopt } for  pid=983 comm="dhcpcd" lport=58 scontext=u:r:dhcp:s0 tcontext=u:r:dhcp:s0 tclass=rawip_socket
<5>[   42.732208] type=1400 audit(1392332560.338:10): avc:  denied  { write } for  pid=983 comm="dhcpcd" lport=58 scontext=u:r:dhcp:s0 tcontext=u:r:dhcp:s0 tclass=rawip_socket

Bug: 12473306
Change-Id: Iee57a0cb4c2d2085a24d4b5fb23a5488f0fd3e03

dhcp.te

diff --git a/dhcp.te b/dhcp.te
index 785b204..c930b0f 100644
--- a/dhcp.te
+++ b/dhcp.te
@@ -10,6 +10,7 @@
 allow dhcp self:capability { setgid setuid net_admin net_raw net_bind_service };
 allow dhcp self:packet_socket create_socket_perms;
 allow dhcp self:netlink_route_socket { create_socket_perms nlmsg_write };
+allow dhcp self:rawip_socket create_socket_perms;
 allow dhcp shell_exec:file rx_file_perms;
 allow dhcp system_file:file rx_file_perms;
 # For /proc/sys/net/ipv4/conf/*/promote_secondaries