From: pebenito@ieee.org (Chris PeBenito) Date: Wed, 7 Jun 2017 19:22:07 -0400 Subject: [refpolicy] [PATCH] netutils: Add some permissions required by nmap to traceroute_t In-Reply-To: <20170607160337.16186-1-aranea@aixah.de> References: <20170607160337.16186-1-aranea@aixah.de> Message-ID: <1a671542-b374-0b8b-3d34-dc1d2793f9fc@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 06/07/2017 12:03 PM, Luis Ressel via refpolicy wrote: > --- > policy/modules/admin/netutils.te | 13 ++++++++++--- > 1 file changed, 10 insertions(+), 3 deletions(-) > > diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te > index 4ea58479..b5bdda2d 100644 > --- a/policy/modules/admin/netutils.te > +++ b/policy/modules/admin/netutils.te > @@ -171,9 +171,7 @@ optional_policy(` > # > > allow traceroute_t self:capability { net_admin net_raw setgid setuid }; > -allow traceroute_t self:rawip_socket create_socket_perms; > -allow traceroute_t self:packet_socket create_socket_perms; > -allow traceroute_t self:udp_socket create_socket_perms; > +allow traceroute_t self:{ packet_socket rawip_socket socket udp_socket } create_socket_perms; I'd prefer not to have changes like this. > kernel_read_system_state(traceroute_t) > kernel_read_network_state(traceroute_t) > @@ -215,6 +213,15 @@ miscfiles_read_localization(traceroute_t) > userdom_use_user_terminals(traceroute_t) > > #rules needed for nmap > +allow traceroute_t self:process signal; This needs to go up with the other self rules. > dev_read_rand(traceroute_t) > dev_read_urand(traceroute_t) > +dev_read_sysfs(traceroute_t) > + > +corecmd_search_bin(traceroute_t) This should go with the other corenet rules. > files_read_usr_files(traceroute_t) > + > +# nmap searches . > +userdom_dontaudit_search_user_home_dirs(traceroute_t) > +userdom_dontaudit_search_user_home_content(traceroute_t) > -- Chris PeBenito