From: aranea@aixah.de (Luis Ressel)
Date: Wed,  7 Jun 2017 18:03:37 +0200
Subject: [refpolicy] [PATCH] netutils: Add some permissions required by nmap
	to traceroute_t
Message-ID: <20170607160337.16186-1-aranea@aixah.de>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

---
 policy/modules/admin/netutils.te | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index 4ea58479..b5bdda2d 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -171,9 +171,7 @@ optional_policy(`
 #
 
 allow traceroute_t self:capability { net_admin net_raw setgid setuid };
-allow traceroute_t self:rawip_socket create_socket_perms;
-allow traceroute_t self:packet_socket create_socket_perms;
-allow traceroute_t self:udp_socket create_socket_perms;
+allow traceroute_t self:{ packet_socket rawip_socket socket udp_socket } create_socket_perms;
 
 kernel_read_system_state(traceroute_t)
 kernel_read_network_state(traceroute_t)
@@ -215,6 +213,15 @@ miscfiles_read_localization(traceroute_t)
 userdom_use_user_terminals(traceroute_t)
 
 #rules needed for nmap
+allow traceroute_t self:process signal;
+
 dev_read_rand(traceroute_t)
 dev_read_urand(traceroute_t)
+dev_read_sysfs(traceroute_t)
+
+corecmd_search_bin(traceroute_t)
 files_read_usr_files(traceroute_t)
+
+# nmap searches .
+userdom_dontaudit_search_user_home_dirs(traceroute_t)
+userdom_dontaudit_search_user_home_content(traceroute_t)
-- 
2.13.1