From: pebenito@ieee.org (Chris PeBenito)
Date: Wed, 7 Jun 2017 19:22:07 -0400
Subject: [refpolicy] [PATCH] netutils: Add some permissions required by
 nmap to traceroute_t
In-Reply-To: <20170607160337.16186-1-aranea@aixah.de>
References: <20170607160337.16186-1-aranea@aixah.de>
Message-ID: <1a671542-b374-0b8b-3d34-dc1d2793f9fc@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 06/07/2017 12:03 PM, Luis Ressel via refpolicy wrote:
> ---
>  policy/modules/admin/netutils.te | 13 ++++++++++---
>  1 file changed, 10 insertions(+), 3 deletions(-)
>
> diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
> index 4ea58479..b5bdda2d 100644
> --- a/policy/modules/admin/netutils.te
> +++ b/policy/modules/admin/netutils.te
> @@ -171,9 +171,7 @@ optional_policy(`
>  #
>
>  allow traceroute_t self:capability { net_admin net_raw setgid setuid };
> -allow traceroute_t self:rawip_socket create_socket_perms;
> -allow traceroute_t self:packet_socket create_socket_perms;
> -allow traceroute_t self:udp_socket create_socket_perms;
> +allow traceroute_t self:{ packet_socket rawip_socket socket udp_socket } create_socket_perms;

I'd prefer not to have changes like this.


>  kernel_read_system_state(traceroute_t)
>  kernel_read_network_state(traceroute_t)
> @@ -215,6 +213,15 @@ miscfiles_read_localization(traceroute_t)
>  userdom_use_user_terminals(traceroute_t)
>
>  #rules needed for nmap
> +allow traceroute_t self:process signal;

This needs to go up with the other self rules.

>  dev_read_rand(traceroute_t)
>  dev_read_urand(traceroute_t)
> +dev_read_sysfs(traceroute_t)
> +
> +corecmd_search_bin(traceroute_t)

This should go with the other corenet rules.

>  files_read_usr_files(traceroute_t)
> +
> +# nmap searches .
> +userdom_dontaudit_search_user_home_dirs(traceroute_t)
> +userdom_dontaudit_search_user_home_content(traceroute_t)
>


-- 
Chris PeBenito