From: aranea@aixah.de (Luis Ressel) Date: Thu, 8 Jun 2017 02:26:36 +0200 Subject: [refpolicy] [PATCH] netutils: Add some permissions required by nmap to traceroute_t In-Reply-To: <1a671542-b374-0b8b-3d34-dc1d2793f9fc@ieee.org> References: <20170607160337.16186-1-aranea@aixah.de> <1a671542-b374-0b8b-3d34-dc1d2793f9fc@ieee.org> Message-ID: <20170608022636.1e787020@vega.skynet> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Wed, 7 Jun 2017 19:22:07 -0400 Chris PeBenito wrote: > On 06/07/2017 12:03 PM, Luis Ressel via refpolicy wrote: > > --- > > policy/modules/admin/netutils.te | 13 ++++++++++--- > > 1 file changed, 10 insertions(+), 3 deletions(-) > > > > diff --git a/policy/modules/admin/netutils.te > > b/policy/modules/admin/netutils.te index 4ea58479..b5bdda2d 100644 > > --- a/policy/modules/admin/netutils.te > > +++ b/policy/modules/admin/netutils.te > > @@ -171,9 +171,7 @@ optional_policy(` > > # > > > > allow traceroute_t self:capability { net_admin net_raw setgid > > setuid }; -allow traceroute_t self:rawip_socket create_socket_perms; > > -allow traceroute_t self:packet_socket create_socket_perms; > > -allow traceroute_t self:udp_socket create_socket_perms; > > +allow traceroute_t self:{ packet_socket rawip_socket socket > > udp_socket } create_socket_perms; > > I'd prefer not to have changes like this. Okay, I'll add a separate rule for self:socket, then. I'm curious, though: Why don't you want to use the :{ ... } syntax here? > > kernel_read_system_state(traceroute_t) > > kernel_read_network_state(traceroute_t) > > @@ -215,6 +213,15 @@ miscfiles_read_localization(traceroute_t) > > userdom_use_user_terminals(traceroute_t) > > > > #rules needed for nmap > > +allow traceroute_t self:process signal; > > This needs to go up with the other self rules. Okay. But while we're at this: Should we perhaps drop the whole "rules needed for nmap" block and mix those rules with the others above? In particular, the files_read_usr_files() rule could be moved to the other files_ rules. > > dev_read_rand(traceroute_t) > > dev_read_urand(traceroute_t) > > +dev_read_sysfs(traceroute_t) > > + > > +corecmd_search_bin(traceroute_t) > > This should go with the other corenet rules. > You probably misread; this is a core*cmd* rule. > > files_read_usr_files(traceroute_t) > > + > > +# nmap searches . > > +userdom_dontaudit_search_user_home_dirs(traceroute_t) > > +userdom_dontaudit_search_user_home_content(traceroute_t) > > > > Thanks for your feedback! Regards, Luis -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170608/ef1276a4/attachment.bin