From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Sun, 18 Nov 2012 08:41:07 +0100
Subject: [refpolicy] [PATCH 1/1] tcpdump chroots into /var/lib/tcpdump
Message-ID: <20121118074107.GA27263@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

When invoking tcpdump, the application creates a netlink_socket and then chroots
into /var/lib/tcpdump.

Without the right to create a netlink_socket:
tcpdump: Can't open netlink socket 13:Permission denied

Without the right on dac_read_search and sys_chroot:
tcpdump: Couldn't chroot/chdir to '/var/lib/tcpdump': Permission denied

See also https://bugs.gentoo.org/show_bug.cgi?id=443624

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/admin/netutils.te |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index b6c221d..606948a 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -33,10 +33,11 @@ init_system_domain(traceroute_t, traceroute_exec_t)
 #
 
 # Perform network administration operations and have raw access to the network.
-allow netutils_t self:capability { net_admin net_raw setuid setgid };
-dontaudit netutils_t self:capability sys_tty_config;
+allow netutils_t self:capability { dac_read_search net_admin net_raw setuid setgid sys_chroot };
+dontaudit netutils_t self:capability { dac_override sys_tty_config };
 allow netutils_t self:process { setcap signal_perms };
 allow netutils_t self:netlink_route_socket create_netlink_socket_perms;
+allow netutils_t self:netlink_socket create_socket_perms;
 allow netutils_t self:packet_socket create_socket_perms;
 allow netutils_t self:udp_socket create_socket_perms;
 allow netutils_t self:tcp_socket create_stream_socket_perms;
@@ -47,6 +48,7 @@ manage_files_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t)
 files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir })
 
 kernel_search_proc(netutils_t)
+kernel_read_network_state(netutils_t)
 kernel_read_all_sysctls(netutils_t)
 
 corenet_all_recvfrom_unlabeled(netutils_t)
-- 
1.7.8.6