commit 529fcbe06506d62370525f04380ae41ae7fc7892
author Robert Craig <rpcraig@tycho.ncsc.mil> Tue Jan 07 13:46:56 2014 -0500
committer Robert Craig <rpcraig@tycho.ncsc.mil> Tue Jan 07 14:03:32 2014 -0500
tree 36502201fcbabbe776d494cea3c6224a87b42fb1
parent 11c48d4c06dd36432d11985297374331155e7db6

Create proc_net type for /proc/sys/net entries.

/proc/sys/net could use its own type to help distinguish
among some of the proc access rules. Fix dhcp and netd
because of this.

Change-Id: I6e16cba660f07bc25f437bf43e1eba851a88d538
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>

dhcp.te

diff --git a/dhcp.te b/dhcp.te
index 5856a26..e710360 100644
--- a/dhcp.te
+++ b/dhcp.te
@@ -13,7 +13,8 @@
 allow dhcp self:netlink_route_socket { create_socket_perms nlmsg_write };
 allow dhcp shell_exec:file rx_file_perms;
 allow dhcp system_file:file rx_file_perms;
-allow dhcp proc:file write;
+# For /proc/sys/net/ipv4/conf/*/promote_secondaries
+allow dhcp proc_net:file write;
 allow dhcp system_prop:property_service set ;
 allow dhcp dhcp_system_file:file rx_file_perms;
 allow dhcp dhcp_system_file:dir r_dir_perms;

domain.te

diff --git a/domain.te b/domain.te
index 4aa9c10..a498980 100644
--- a/domain.te
+++ b/domain.te
@@ -106,6 +106,7 @@
 r_dir_file(domain, sysfs_devices_system_cpu)
 r_dir_file(domain, inotify)
 r_dir_file(domain, cgroup)
+r_dir_file(domain, proc_net)
 
 # debugfs access
 allow domain debugfs:dir r_dir_perms;

file.te

diff --git a/file.te b/file.te
index 3ca9fd7..e255ae9 100644
--- a/file.te
+++ b/file.te
@@ -10,6 +10,7 @@
 type usermodehelper, fs_type, sysfs_type;
 type qtaguid_proc, fs_type, mlstrustedobject;
 type proc_bluetooth_writable, fs_type;
+type proc_net, fs_type;
 type selinuxfs, fs_type;
 type cgroup, fs_type, mlstrustedobject;
 type sysfs, fs_type, mlstrustedobject;

genfs_contexts

diff --git a/genfs_contexts b/genfs_contexts
index 8560e38..99d4400 100644
--- a/genfs_contexts
+++ b/genfs_contexts
@@ -15,6 +15,7 @@
 genfscon proc /sys/kernel/poweroff_cmd u:object_r:usermodehelper:s0
 genfscon proc /sys/kernel/randomize_va_space u:object_r:proc_security:s0
 genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
+genfscon proc /sys/net u:object_r:proc_net:s0
 genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0
 # selinuxfs booleans can be individually labeled.
 genfscon selinuxfs / u:object_r:selinuxfs:s0

netd.te

diff --git a/netd.te b/netd.te
index 72784da..f8c9ffb 100644
--- a/netd.te
+++ b/netd.te
@@ -16,8 +16,7 @@
 allow netd devpts:chr_file rw_file_perms;
 
 # For /proc/sys/net/ipv[46]/route/flush.
-# XXX Split /proc/sys/net into its own type.
-allow netd proc:file write;
+allow netd proc_net:file write;
 
 # For /sys/modules/bcmdhd/parameters/firmware_path
 # XXX Split into its own type.