From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Tue, 27 Nov 2012 09:28:29 -0500 Subject: [refpolicy] [PATCH 1/1] tcpdump chroots into /var/lib/tcpdump In-Reply-To: <20121118074107.GA27263@siphos.be> References: <20121118074107.GA27263@siphos.be> Message-ID: <50B4CE0D.8060401@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 11/18/12 02:41, Sven Vermeulen wrote: > When invoking tcpdump, the application creates a netlink_socket and then chroots > into /var/lib/tcpdump. > > Without the right to create a netlink_socket: > tcpdump: Can't open netlink socket 13:Permission denied > > Without the right on dac_read_search and sys_chroot: > tcpdump: Couldn't chroot/chdir to '/var/lib/tcpdump': Permission denied > > See also https://bugs.gentoo.org/show_bug.cgi?id=443624 Merged. > Signed-off-by: Sven Vermeulen > --- > policy/modules/admin/netutils.te | 6 ++++-- > 1 files changed, 4 insertions(+), 2 deletions(-) > > diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te > index b6c221d..606948a 100644 > --- a/policy/modules/admin/netutils.te > +++ b/policy/modules/admin/netutils.te > @@ -33,10 +33,11 @@ init_system_domain(traceroute_t, traceroute_exec_t) > # > > # Perform network administration operations and have raw access to the network. > -allow netutils_t self:capability { net_admin net_raw setuid setgid }; > -dontaudit netutils_t self:capability sys_tty_config; > +allow netutils_t self:capability { dac_read_search net_admin net_raw setuid setgid sys_chroot }; > +dontaudit netutils_t self:capability { dac_override sys_tty_config }; > allow netutils_t self:process { setcap signal_perms }; > allow netutils_t self:netlink_route_socket create_netlink_socket_perms; > +allow netutils_t self:netlink_socket create_socket_perms; > allow netutils_t self:packet_socket create_socket_perms; > allow netutils_t self:udp_socket create_socket_perms; > allow netutils_t self:tcp_socket create_stream_socket_perms; > @@ -47,6 +48,7 @@ manage_files_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t) > files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir }) > > kernel_search_proc(netutils_t) > +kernel_read_network_state(netutils_t) > kernel_read_all_sysctls(netutils_t) > > corenet_all_recvfrom_unlabeled(netutils_t) > -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com