From: aranea@aixah.de (Luis Ressel) Date: Wed, 7 Jun 2017 18:03:37 +0200 Subject: [refpolicy] [PATCH] netutils: Add some permissions required by nmap to traceroute_t Message-ID: <20170607160337.16186-1-aranea@aixah.de> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com --- policy/modules/admin/netutils.te | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te index 4ea58479..b5bdda2d 100644 --- a/policy/modules/admin/netutils.te +++ b/policy/modules/admin/netutils.te @@ -171,9 +171,7 @@ optional_policy(` # allow traceroute_t self:capability { net_admin net_raw setgid setuid }; -allow traceroute_t self:rawip_socket create_socket_perms; -allow traceroute_t self:packet_socket create_socket_perms; -allow traceroute_t self:udp_socket create_socket_perms; +allow traceroute_t self:{ packet_socket rawip_socket socket udp_socket } create_socket_perms; kernel_read_system_state(traceroute_t) kernel_read_network_state(traceroute_t) @@ -215,6 +213,15 @@ miscfiles_read_localization(traceroute_t) userdom_use_user_terminals(traceroute_t) #rules needed for nmap +allow traceroute_t self:process signal; + dev_read_rand(traceroute_t) dev_read_urand(traceroute_t) +dev_read_sysfs(traceroute_t) + +corecmd_search_bin(traceroute_t) files_read_usr_files(traceroute_t) + +# nmap searches . +userdom_dontaudit_search_user_home_dirs(traceroute_t) +userdom_dontaudit_search_user_home_content(traceroute_t) -- 2.13.1