2017-06-09 13:30:24

by Christian Göttsche

[permalink] [raw]
Subject: [refpolicy] [PATCH] netutils: update

From: cgzones <[email protected]>

v2:
- keep files_read_etc_files interfaces

---
policy/modules/admin/netutils.fc | 1 +
policy/modules/admin/netutils.te | 15 +++------------
2 files changed, 4 insertions(+), 12 deletions(-)

diff --git a/policy/modules/admin/netutils.fc b/policy/modules/admin/netutils.fc
index 4f77e1cc6..54c0793f7 100644
--- a/policy/modules/admin/netutils.fc
+++ b/policy/modules/admin/netutils.fc
@@ -3,6 +3,7 @@
/usr/bin/hping2 -- gen_context(system_u:object_r:ping_exec_t,s0)
/usr/bin/iptstate -- gen_context(system_u:object_r:netutils_exec_t,s0)
/usr/bin/lft -- gen_context(system_u:object_r:traceroute_exec_t,s0)
+/usr/bin/mtr -- gen_context(system_u:object_r:traceroute_exec_t,s0)
/usr/bin/nmap -- gen_context(system_u:object_r:traceroute_exec_t,s0)
/usr/bin/ping.* -- gen_context(system_u:object_r:ping_exec_t,s0)
/usr/bin/send_arp -- gen_context(system_u:object_r:ping_exec_t,s0)
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index 4ea58479c..8f8f98042 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -49,7 +49,6 @@ manage_dirs_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t)
manage_files_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t)
files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir })

-kernel_search_proc(netutils_t)
kernel_read_network_state(netutils_t)
kernel_read_all_sysctls(netutils_t)

@@ -86,9 +85,7 @@ logging_send_syslog_msg(netutils_t)

miscfiles_read_localization(netutils_t)

-term_dontaudit_use_console(netutils_t)
-userdom_use_user_terminals(netutils_t)
-userdom_use_all_users_fds(netutils_t)
+userdom_use_inherited_user_terminals(netutils_t)

optional_policy(`
nis_use_ypbind(netutils_t)
@@ -127,12 +124,9 @@ corenet_tcp_sendrecv_all_ports(ping_t)

dev_read_urand(ping_t)

-fs_dontaudit_getattr_xattr_fs(ping_t)
-
domain_use_interactive_fds(ping_t)

files_read_etc_files(ping_t)
-files_dontaudit_search_var(ping_t)

kernel_read_system_state(ping_t)

@@ -142,7 +136,7 @@ logging_send_syslog_msg(ping_t)

miscfiles_read_localization(ping_t)

-userdom_use_user_terminals(ping_t)
+userdom_use_inherited_user_terminals(ping_t)

ifdef(`hide_broken_symptoms',`
init_dontaudit_use_fds(ping_t)
@@ -197,12 +191,9 @@ corenet_tcp_connect_all_ports(traceroute_t)
corenet_sendrecv_all_client_packets(traceroute_t)
corenet_sendrecv_traceroute_server_packets(traceroute_t)

-fs_dontaudit_getattr_xattr_fs(traceroute_t)
-
domain_use_interactive_fds(traceroute_t)

files_read_etc_files(traceroute_t)
-files_dontaudit_search_var(traceroute_t)

init_use_fds(traceroute_t)

@@ -212,7 +203,7 @@ logging_send_syslog_msg(traceroute_t)

miscfiles_read_localization(traceroute_t)

-userdom_use_user_terminals(traceroute_t)
+userdom_use_inherited_user_terminals(traceroute_t)

#rules needed for nmap
dev_read_rand(traceroute_t)
--
2.11.0


2017-06-09 15:32:57

by Guido Trentalancia

[permalink] [raw]
Subject: [refpolicy] [PATCH] netutils: update

Yes, it is definitely better to keep files_read_etc_files() even if it
is included in other interfaces...

I think you recently removed it from other modules too. Iptables is one
of them (yesterday). Please, reintroduce it there too.

Regards,

Guido

On Fri, 09/06/2017 at 15.30 +0200, Christian G?ttsche via
refpolicy wrote:
> From: cgzones <[email protected]>
>
> v2:
> - keep files_read_etc_files interfaces
>
> ---
> policy/modules/admin/netutils.fc | 1 +
> policy/modules/admin/netutils.te | 15 +++------------
> 2 files changed, 4 insertions(+), 12 deletions(-)
>
> diff --git a/policy/modules/admin/netutils.fc
> b/policy/modules/admin/netutils.fc
> index 4f77e1cc6..54c0793f7 100644
> --- a/policy/modules/admin/netutils.fc
> +++ b/policy/modules/admin/netutils.fc
> @@ -3,6 +3,7 @@
> /usr/bin/hping2 -- gen_context(system_u:object
> _r:ping_exec_t,s0)
> /usr/bin/iptstate -- gen_context(system_u:object_r:net
> utils_exec_t,s0)
> /usr/bin/lft -- gen_context(system_u:object_r:
> traceroute_exec_t,s0)
> +/usr/bin/mtr -- gen_context(system_u:object_r:
> traceroute_exec_t,s0)
> /usr/bin/nmap -- gen_context(system_u:object_r
> :traceroute_exec_t,s0)
> /usr/bin/ping.* -- gen_context(system_u:object_r:ping
> _exec_t,s0)
> /usr/bin/send_arp -- gen_context(system_u:object_r:pin
> g_exec_t,s0)
> diff --git a/policy/modules/admin/netutils.te
> b/policy/modules/admin/netutils.te
> index 4ea58479c..8f8f98042 100644
> --- a/policy/modules/admin/netutils.te
> +++ b/policy/modules/admin/netutils.te
> @@ -49,7 +49,6 @@ manage_dirs_pattern(netutils_t, netutils_tmp_t,
> netutils_tmp_t)
> manage_files_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t)
> files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir })
>
> -kernel_search_proc(netutils_t)
> kernel_read_network_state(netutils_t)
> kernel_read_all_sysctls(netutils_t)
>
> @@ -86,9 +85,7 @@ logging_send_syslog_msg(netutils_t)
>
> miscfiles_read_localization(netutils_t)
>
> -term_dontaudit_use_console(netutils_t)
> -userdom_use_user_terminals(netutils_t)
> -userdom_use_all_users_fds(netutils_t)
> +userdom_use_inherited_user_terminals(netutils_t)
>
> optional_policy(`
> nis_use_ypbind(netutils_t)
> @@ -127,12 +124,9 @@ corenet_tcp_sendrecv_all_ports(ping_t)
>
> dev_read_urand(ping_t)
>
> -fs_dontaudit_getattr_xattr_fs(ping_t)
> -
> domain_use_interactive_fds(ping_t)
>
> files_read_etc_files(ping_t)
> -files_dontaudit_search_var(ping_t)
>
> kernel_read_system_state(ping_t)
>
> @@ -142,7 +136,7 @@ logging_send_syslog_msg(ping_t)
>
> miscfiles_read_localization(ping_t)
>
> -userdom_use_user_terminals(ping_t)
> +userdom_use_inherited_user_terminals(ping_t)
>
> ifdef(`hide_broken_symptoms',`
> init_dontaudit_use_fds(ping_t)
> @@ -197,12 +191,9 @@ corenet_tcp_connect_all_ports(traceroute_t)
> corenet_sendrecv_all_client_packets(traceroute_t)
> corenet_sendrecv_traceroute_server_packets(traceroute_t)
>
> -fs_dontaudit_getattr_xattr_fs(traceroute_t)
> -
> domain_use_interactive_fds(traceroute_t)
>
> files_read_etc_files(traceroute_t)
> -files_dontaudit_search_var(traceroute_t)
>
> init_use_fds(traceroute_t)
>
> @@ -212,7 +203,7 @@ logging_send_syslog_msg(traceroute_t)
>
> miscfiles_read_localization(traceroute_t)
>
> -userdom_use_user_terminals(traceroute_t)
> +userdom_use_inherited_user_terminals(traceroute_t)
>
> #rules needed for nmap
> dev_read_rand(traceroute_t)

2017-06-12 22:37:07

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH] netutils: update

On 06/09/2017 09:30 AM, Christian G?ttsche via refpolicy wrote:
> From: cgzones <[email protected]>
>
> v2:
> - keep files_read_etc_files interfaces
>
> ---
> policy/modules/admin/netutils.fc | 1 +
> policy/modules/admin/netutils.te | 15 +++------------
> 2 files changed, 4 insertions(+), 12 deletions(-)
>
> diff --git a/policy/modules/admin/netutils.fc b/policy/modules/admin/netutils.fc
> index 4f77e1cc6..54c0793f7 100644
> --- a/policy/modules/admin/netutils.fc
> +++ b/policy/modules/admin/netutils.fc
> @@ -3,6 +3,7 @@
> /usr/bin/hping2 -- gen_context(system_u:object_r:ping_exec_t,s0)
> /usr/bin/iptstate -- gen_context(system_u:object_r:netutils_exec_t,s0)
> /usr/bin/lft -- gen_context(system_u:object_r:traceroute_exec_t,s0)
> +/usr/bin/mtr -- gen_context(system_u:object_r:traceroute_exec_t,s0)
> /usr/bin/nmap -- gen_context(system_u:object_r:traceroute_exec_t,s0)
> /usr/bin/ping.* -- gen_context(system_u:object_r:ping_exec_t,s0)
> /usr/bin/send_arp -- gen_context(system_u:object_r:ping_exec_t,s0)
> diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
> index 4ea58479c..8f8f98042 100644
> --- a/policy/modules/admin/netutils.te
> +++ b/policy/modules/admin/netutils.te
> @@ -49,7 +49,6 @@ manage_dirs_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t)
> manage_files_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t)
> files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir })
>
> -kernel_search_proc(netutils_t)
> kernel_read_network_state(netutils_t)
> kernel_read_all_sysctls(netutils_t)
>
> @@ -86,9 +85,7 @@ logging_send_syslog_msg(netutils_t)
>
> miscfiles_read_localization(netutils_t)
>
> -term_dontaudit_use_console(netutils_t)
> -userdom_use_user_terminals(netutils_t)
> -userdom_use_all_users_fds(netutils_t)
> +userdom_use_inherited_user_terminals(netutils_t)
>
> optional_policy(`
> nis_use_ypbind(netutils_t)
> @@ -127,12 +124,9 @@ corenet_tcp_sendrecv_all_ports(ping_t)
>
> dev_read_urand(ping_t)
>
> -fs_dontaudit_getattr_xattr_fs(ping_t)
> -
> domain_use_interactive_fds(ping_t)
>
> files_read_etc_files(ping_t)
> -files_dontaudit_search_var(ping_t)
>
> kernel_read_system_state(ping_t)
>
> @@ -142,7 +136,7 @@ logging_send_syslog_msg(ping_t)
>
> miscfiles_read_localization(ping_t)
>
> -userdom_use_user_terminals(ping_t)
> +userdom_use_inherited_user_terminals(ping_t)
>
> ifdef(`hide_broken_symptoms',`
> init_dontaudit_use_fds(ping_t)
> @@ -197,12 +191,9 @@ corenet_tcp_connect_all_ports(traceroute_t)
> corenet_sendrecv_all_client_packets(traceroute_t)
> corenet_sendrecv_traceroute_server_packets(traceroute_t)
>
> -fs_dontaudit_getattr_xattr_fs(traceroute_t)
> -
> domain_use_interactive_fds(traceroute_t)
>
> files_read_etc_files(traceroute_t)
> -files_dontaudit_search_var(traceroute_t)
>
> init_use_fds(traceroute_t)
>
> @@ -212,7 +203,7 @@ logging_send_syslog_msg(traceroute_t)
>
> miscfiles_read_localization(traceroute_t)
>
> -userdom_use_user_terminals(traceroute_t)
> +userdom_use_inherited_user_terminals(traceroute_t)
>
> #rules needed for nmap
> dev_read_rand(traceroute_t)

Merged.

--
Chris PeBenito