RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 988353 - Need policy for OpenLMI-Networking
Summary: Need policy for OpenLMI-Networking
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.0
Hardware: All
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On: 909886 988330
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-07-25 11:41 UTC by Radek Novacek
Modified: 2016-12-01 00:31 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of: 988330
Environment:
Last Closed: 2014-06-13 11:26:58 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Radek Novacek 2013-07-25 11:41:08 UTC 
+++ This bug was initially created as a clone of Bug #988330 +++

OpenLMI-Networking provider needs a policy. This is similar request as bz979037 and bz983422 and bz987951.

Network provider manages network devices using NetworkManager via D-Bus.

Audit messages are attached.

Result of `ausearch -m avc -ts 12:16 | audit2allow`, with my comments:

#============= NetworkManager_t ==============
allow NetworkManager_t dhcpc_t:process { siginh noatsecure rlimitinh };
# ^^^ this doesn't seems to be related

#============= firewalld_t ==============
allow firewalld_t iptables_t:process { siginh noatsecure rlimitinh };
# ^^^ this doesn't seems to be related

#============= pegasus_openlmi_networking_t ==============
allow pegasus_openlmi_networking_t passwd_file_t:file { read getattr open };
allow pegasus_openlmi_networking_t pegasus_data_t:dir write;
allow pegasus_openlmi_networking_t proc_net_t:file { read getattr open };
allow pegasus_openlmi_networking_t self:capability { setuid net_admin setgid };
allow pegasus_openlmi_networking_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
allow pegasus_openlmi_networking_t self:udp_socket { create connect getattr };
allow pegasus_openlmi_networking_t sysfs_t:file { read write getattr open };
allow pegasus_openlmi_networking_t sysfs_t:lnk_file read;
allow pegasus_openlmi_networking_t system_dbusd_t:unix_stream_socket connectto;
allow pegasus_openlmi_networking_t system_dbusd_var_run_t:dir search;
allow pegasus_openlmi_networking_t system_dbusd_var_run_t:sock_file write;

#!!!! This avc can be allowed using the boolean 'global_ssp'
allow pegasus_openlmi_networking_t urandom_device_t:chr_file { read open };

#============= pegasus_t ==============
allow pegasus_t chkpwd_t:process { siginh noatsecure rlimitinh };
allow pegasus_t pegasus_openlmi_networking_t:process { siginh noatsecure rlimitinh };


Please check if the permission is reasonable for networking-handling provider. 
What the provider does:
* D-Bus communication with NetworkManager
* reading /proc/net/dev
* reading /sys/class/net/*/flags
* generating UUIDs with libuuid
* communication with pegasus (same for all providers)
Comment 2 Miroslav Grepl 2013-07-26 08:36:58 UTC 
Added to Fedora.
Comment 5 Ludek Smid 2014-06-13 11:26:58 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.
Note You need to log in before you can comment on or make changes to this bug.