Address SELinux denials with clatd.
<5>[ 216.710405] type=1400 audit(1392934645.702:17): avc: denied { use } for pid=2273 comm="clatd" path="socket:[9368]" dev="sockfs" ino=9368 scontext=u:r:clatd:s0 tcontext=u:r:netd:s0 tclass=fd
<5>[ 216.710553] type=1400 audit(1392934645.702:18): avc: denied { read write } for pid=2273 comm="clatd" path="socket:[9368]" dev="sockfs" ino=9368 scontext=u:r:clatd:s0 tcontext=u:r:netd:s0 tclass=netlink_kobject_uevent_socket
<5>[ 216.710727] type=1400 audit(1392934645.702:19): avc: denied { read } for pid=2273 comm="clatd" path="pipe:[9369]" dev="pipefs" ino=9369 scontext=u:r:clatd:s0 tcontext=u:r:netd:s0 tclass=fifo_file
<5>[ 216.710872] type=1400 audit(1392934645.702:20): avc: denied { read write } for pid=2273 comm="clatd" path="socket:[8214]" dev="sockfs" ino=8214 scontext=u:r:clatd:s0 tcontext=u:r:netd:s0 tclass=unix_stream_socket
<5>[ 216.711037] type=1400 audit(1392934645.702:21): avc: denied { write } for pid=2273 comm="clatd" path="pipe:[9369]" dev="pipefs" ino=9369 scontext=u:r:clatd:s0 tcontext=u:r:netd:s0 tclass=fifo_file
<5>[ 216.711208] type=1400 audit(1392934645.702:22): avc: denied { read write } for pid=2273 comm="clatd" path="socket:[9370]" dev="sockfs" ino=9370 scontext=u:r:clatd:s0 tcontext=u:r:netd:s0 tclass=netlink_route_socket
<5>[ 216.711334] type=1400 audit(1392934645.702:23): avc: denied { read write } for pid=2273 comm="clatd" path="socket:[9372]" dev="sockfs" ino=9372 scontext=u:r:clatd:s0 tcontext=u:r:netd:s0 tclass=netlink_nflog_socket
<5>[ 216.711513] type=1400 audit(1392934645.702:24): avc: denied { read write } for pid=2273 comm="clatd" path="socket:[11078]" dev="sockfs" ino=11078 scontext=u:r:clatd:s0 tcontext=u:r:netd:s0 tclass=udp_socket
<5>[ 216.713390] type=1400 audit(1392934645.702:25): avc: denied { dac_override } for pid=2273 comm="clatd" capability=1 scontext=u:r:clatd:s0 tcontext=u:r:clatd:s0 tclass=capability
<5>[ 216.713528] type=1400 audit(1392934645.702:26): avc: denied { read write } for pid=2273 comm="clatd" name="tun" dev="tmpfs" ino=6127 scontext=u:r:clatd:s0 tcontext=u:object_r:tun_device:s0 tclass=chr_file
<5>[ 314.513898] type=1400 audit(1392934743.501:42): avc: denied { setopt } for pid=2273 comm="clatd" scontext=u:r:clatd:s0 tcontext=u:r:clatd:s0 tclass=netlink_route_socket
<5>[ 314.514482] type=1400 audit(1392934743.501:43): avc: denied { getattr } for pid=2273 comm="clatd" scontext=u:r:clatd:s0 tcontext=u:r:clatd:s0 tclass=netlink_route_socket
<5>[ 314.515196] type=1400 audit(1392934743.501:44): avc: denied { write } for pid=2273 comm="clatd" scontext=u:r:clatd:s0 tcontext=u:r:clatd:s0 tclass=netlink_route_socket
<5>[ 314.516077] type=1400 audit(1392934743.501:45): avc: denied { connect } for pid=2273 comm="clatd" scontext=u:r:clatd:s0 tcontext=u:r:clatd:s0 tclass=netlink_route_socket
<5>[ 22.257024] type=1400 audit(1393016186.443:12): avc: denied { open } for pid=1934 comm="clatd" name="tun" dev="tmpfs" ino=6117 scontext=u:r:clatd:s0 tcontext=u:object_r:tun_device:s0 tclass=chr_file
<5>[ 22.257274] type=1400 audit(1393016186.443:13): avc: denied { net_admin } for pid=1934 comm="clatd" capability=12 scontext=u:r:clatd:s0 tcontext=u:r:clatd:s0 tclass=capability
<5>[ 22.257445] type=1400 audit(1393016186.443:14): avc: denied { write } for pid=1934 comm="clatd" name="forwarding" dev="proc" ino=10684 scontext=u:r:clatd:s0 tcontext=u:object_r:proc_net:s0 tclass=file
<5>[ 22.257618] type=1400 audit(1393016186.443:15): avc: denied { setgid } for pid=1934 comm="clatd" capability=6 scontext=u:r:clatd:s0 tcontext=u:r:clatd:s0 tclass=capability
<5>[ 22.257753] type=1400 audit(1393016186.443:16): avc: denied { setuid } for pid=1934 comm="clatd" capability=7 scontext=u:r:clatd:s0 tcontext=u:r:clatd:s0 tclass=capability
<5>[ 22.385005] type=1400 audit(1393016186.573:17): avc: denied { ioctl } for pid=1934 comm="clatd" path="/dev/tun" dev="tmpfs" ino=6117 scontext=u:r:clatd:s0 tcontext=u:object_r:tun_device:s0 tclass=chr_file
<5>[ 22.385269] type=1400 audit(1393016186.573:18): avc: denied { create } for pid=1934 comm="clatd" scontext=u:r:clatd:s0 tcontext=u:r:clatd:s0 tclass=tun_socket
<5>[ 22.388955] type=1400 audit(1393016186.573:19): avc: denied { nlmsg_write } for pid=1934 comm="clatd" scontext=u:r:clatd:s0 tcontext=u:r:clatd:s0 tclass=netlink_route_socket
Change-Id: Ic760597df1aa4b33b3cb6e9a504dbcbd6f5d0116
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
diff --git a/clatd.te b/clatd.te
index 5483f4a..ec2df7e 100644
--- a/clatd.te
+++ b/clatd.te
@@ -3,5 +3,23 @@
permissive_or_unconfined(clatd)
type clatd_exec, exec_type, file_type;
-init_daemon_domain(clatd)
net_domain(clatd)
+
+# Access objects inherited from netd.
+allow clatd netd:fd use;
+allow clatd netd:fifo_file { read write };
+allow clatd netd:netlink_kobject_uevent_socket { read write };
+allow clatd netd:netlink_nflog_socket { read write };
+allow clatd netd:netlink_route_socket { read write };
+allow clatd netd:udp_socket { read write };
+allow clatd netd:unix_stream_socket { read write };
+
+allow clatd self:capability { net_admin setuid setgid };
+
+# TODO: Run clatd in vpn group to avoid need for this on /dev/tun.
+allow clatd self:capability dac_override;
+
+allow clatd self:netlink_route_socket { create_socket_perms nlmsg_write };
+allow clatd self:tun_socket create_socket_perms;
+allow clatd tun_device:chr_file rw_file_perms;
+allow clatd proc_net:file rw_file_perms;;