---
policy/modules/admin/netutils.te | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index c85248a3..a1e23ad9 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -191,9 +191,13 @@ corenet_tcp_connect_all_ports(traceroute_t)
corenet_sendrecv_all_client_packets(traceroute_t)
corenet_sendrecv_traceroute_server_packets(traceroute_t)
+dev_read_rand(traceroute_t)
+dev_read_urand(traceroute_t)
+
domain_use_interactive_fds(traceroute_t)
files_read_etc_files(traceroute_t)
+files_read_usr_files(traceroute_t)
init_use_fds(traceroute_t)
@@ -204,8 +208,3 @@ logging_send_syslog_msg(traceroute_t)
miscfiles_read_localization(traceroute_t)
userdom_use_inherited_user_terminals(traceroute_t)
-
-#rules needed for nmap
-dev_read_rand(traceroute_t)
-dev_read_urand(traceroute_t)
-files_read_usr_files(traceroute_t)
--
2.13.1
---
policy/modules/admin/netutils.te | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index 417c6cd2..e633f60f 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -33,9 +33,9 @@ init_system_domain(traceroute_t, traceroute_exec_t)
#
# Perform network administration operations and have raw access to the network.
-allow netutils_t self:capability { dac_read_search net_admin net_raw setgid setuid sys_chroot };
+allow netutils_t self:capability { dac_read_search net_admin net_raw setgid setpcap setuid sys_chroot };
dontaudit netutils_t self:capability { dac_override sys_tty_config };
-allow netutils_t self:process { setcap signal_perms };
+allow netutils_t self:process { getcap setcap signal_perms };
allow netutils_t self:netlink_route_socket create_netlink_socket_perms;
allow netutils_t self:netlink_socket create_socket_perms;
# For tcpdump.
--
2.13.1
nmap currently also needs "self:socket create", but I've submitted a
kernel patch to ameliorate this.
---
policy/modules/admin/netutils.te | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index a1e23ad9..417c6cd2 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -165,6 +165,7 @@ optional_policy(`
#
allow traceroute_t self:capability { net_admin net_raw setgid setuid };
+allow traceroute_t self:process signal;
allow traceroute_t self:rawip_socket create_socket_perms;
allow traceroute_t self:packet_socket create_socket_perms;
allow traceroute_t self:udp_socket create_socket_perms;
@@ -172,6 +173,8 @@ allow traceroute_t self:udp_socket create_socket_perms;
kernel_read_system_state(traceroute_t)
kernel_read_network_state(traceroute_t)
+corecmd_search_bin(traceroute_t)
+
corenet_all_recvfrom_unlabeled(traceroute_t)
corenet_all_recvfrom_netlabel(traceroute_t)
corenet_tcp_sendrecv_generic_if(traceroute_t)
@@ -193,6 +196,7 @@ corenet_sendrecv_traceroute_server_packets(traceroute_t)
dev_read_rand(traceroute_t)
dev_read_urand(traceroute_t)
+dev_read_sysfs(traceroute_t)
domain_use_interactive_fds(traceroute_t)
@@ -208,3 +212,7 @@ logging_send_syslog_msg(traceroute_t)
miscfiles_read_localization(traceroute_t)
userdom_use_inherited_user_terminals(traceroute_t)
+
+# nmap searches .
+userdom_dontaudit_search_user_home_dirs(traceroute_t)
+userdom_dontaudit_search_user_home_content(traceroute_t)
--
2.13.1
On 06/18/2017 06:53 PM, Luis Ressel via refpolicy wrote:
> nmap currently also needs "self:socket create", but I've submitted a
> kernel patch to ameliorate this.
> ---
> policy/modules/admin/netutils.te | 8 ++++++++
> 1 file changed, 8 insertions(+)
>
> diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
> index a1e23ad9..417c6cd2 100644
> --- a/policy/modules/admin/netutils.te
> +++ b/policy/modules/admin/netutils.te
> @@ -165,6 +165,7 @@ optional_policy(`
> #
>
> allow traceroute_t self:capability { net_admin net_raw setgid setuid };
> +allow traceroute_t self:process signal;
> allow traceroute_t self:rawip_socket create_socket_perms;
> allow traceroute_t self:packet_socket create_socket_perms;
> allow traceroute_t self:udp_socket create_socket_perms;
> @@ -172,6 +173,8 @@ allow traceroute_t self:udp_socket create_socket_perms;
> kernel_read_system_state(traceroute_t)
> kernel_read_network_state(traceroute_t)
>
> +corecmd_search_bin(traceroute_t)
> +
> corenet_all_recvfrom_unlabeled(traceroute_t)
> corenet_all_recvfrom_netlabel(traceroute_t)
> corenet_tcp_sendrecv_generic_if(traceroute_t)
> @@ -193,6 +196,7 @@ corenet_sendrecv_traceroute_server_packets(traceroute_t)
>
> dev_read_rand(traceroute_t)
> dev_read_urand(traceroute_t)
> +dev_read_sysfs(traceroute_t)
>
> domain_use_interactive_fds(traceroute_t)
>
> @@ -208,3 +212,7 @@ logging_send_syslog_msg(traceroute_t)
> miscfiles_read_localization(traceroute_t)
>
> userdom_use_inherited_user_terminals(traceroute_t)
> +
> +# nmap searches .
> +userdom_dontaudit_search_user_home_dirs(traceroute_t)
> +userdom_dontaudit_search_user_home_content(traceroute_t)
Merged.
--
Chris PeBenito
On 06/18/2017 06:53 PM, Luis Ressel via refpolicy wrote:
> ---
> policy/modules/admin/netutils.te | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
> index 417c6cd2..e633f60f 100644
> --- a/policy/modules/admin/netutils.te
> +++ b/policy/modules/admin/netutils.te
> @@ -33,9 +33,9 @@ init_system_domain(traceroute_t, traceroute_exec_t)
> #
>
> # Perform network administration operations and have raw access to the network.
> -allow netutils_t self:capability { dac_read_search net_admin net_raw setgid setuid sys_chroot };
> +allow netutils_t self:capability { dac_read_search net_admin net_raw setgid setpcap setuid sys_chroot };
> dontaudit netutils_t self:capability { dac_override sys_tty_config };
> -allow netutils_t self:process { setcap signal_perms };
> +allow netutils_t self:process { getcap setcap signal_perms };
> allow netutils_t self:netlink_route_socket create_netlink_socket_perms;
> allow netutils_t self:netlink_socket create_socket_perms;
> # For tcpdump.
Merged.
--
Chris PeBenito
On 06/18/2017 06:53 PM, Luis Ressel via refpolicy wrote:
> ---
> policy/modules/admin/netutils.te | 9 ++++-----
> 1 file changed, 4 insertions(+), 5 deletions(-)
>
> diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
> index c85248a3..a1e23ad9 100644
> --- a/policy/modules/admin/netutils.te
> +++ b/policy/modules/admin/netutils.te
> @@ -191,9 +191,13 @@ corenet_tcp_connect_all_ports(traceroute_t)
> corenet_sendrecv_all_client_packets(traceroute_t)
> corenet_sendrecv_traceroute_server_packets(traceroute_t)
>
> +dev_read_rand(traceroute_t)
> +dev_read_urand(traceroute_t)
> +
> domain_use_interactive_fds(traceroute_t)
>
> files_read_etc_files(traceroute_t)
> +files_read_usr_files(traceroute_t)
>
> init_use_fds(traceroute_t)
>
> @@ -204,8 +208,3 @@ logging_send_syslog_msg(traceroute_t)
> miscfiles_read_localization(traceroute_t)
>
> userdom_use_inherited_user_terminals(traceroute_t)
> -
> -#rules needed for nmap
> -dev_read_rand(traceroute_t)
> -dev_read_urand(traceroute_t)
> -files_read_usr_files(traceroute_t)
Merged.
--
Chris PeBenito