From: cgzones@googlemail.com (=?UTF-8?q?Christian=20G=C3=B6ttsche?=) Date: Thu, 8 Jun 2017 19:11:06 +0200 Subject: [refpolicy] [PATCH] netutils: update Message-ID: <20170608171106.25493-1-cgzones@googlemail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com From: cgzones --- policy/modules/admin/netutils.fc | 1 + policy/modules/admin/netutils.te | 20 +++----------------- 2 files changed, 4 insertions(+), 17 deletions(-) diff --git a/policy/modules/admin/netutils.fc b/policy/modules/admin/netutils.fc index 4f77e1cc6..54c0793f7 100644 --- a/policy/modules/admin/netutils.fc +++ b/policy/modules/admin/netutils.fc @@ -3,6 +3,7 @@ /usr/bin/hping2 -- gen_context(system_u:object_r:ping_exec_t,s0) /usr/bin/iptstate -- gen_context(system_u:object_r:netutils_exec_t,s0) /usr/bin/lft -- gen_context(system_u:object_r:traceroute_exec_t,s0) +/usr/bin/mtr -- gen_context(system_u:object_r:traceroute_exec_t,s0) /usr/bin/nmap -- gen_context(system_u:object_r:traceroute_exec_t,s0) /usr/bin/ping.* -- gen_context(system_u:object_r:ping_exec_t,s0) /usr/bin/send_arp -- gen_context(system_u:object_r:ping_exec_t,s0) diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te index 4ea58479c..7ddd4d941 100644 --- a/policy/modules/admin/netutils.te +++ b/policy/modules/admin/netutils.te @@ -49,7 +49,6 @@ manage_dirs_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t) manage_files_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t) files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir }) -kernel_search_proc(netutils_t) kernel_read_network_state(netutils_t) kernel_read_all_sysctls(netutils_t) @@ -73,7 +72,6 @@ fs_getattr_xattr_fs(netutils_t) domain_use_interactive_fds(netutils_t) -files_read_etc_files(netutils_t) # for nscd files_dontaudit_search_var(netutils_t) @@ -86,9 +84,7 @@ logging_send_syslog_msg(netutils_t) miscfiles_read_localization(netutils_t) -term_dontaudit_use_console(netutils_t) -userdom_use_user_terminals(netutils_t) -userdom_use_all_users_fds(netutils_t) +userdom_use_inherited_user_terminals(netutils_t) optional_policy(` nis_use_ypbind(netutils_t) @@ -127,13 +123,8 @@ corenet_tcp_sendrecv_all_ports(ping_t) dev_read_urand(ping_t) -fs_dontaudit_getattr_xattr_fs(ping_t) - domain_use_interactive_fds(ping_t) -files_read_etc_files(ping_t) -files_dontaudit_search_var(ping_t) - kernel_read_system_state(ping_t) auth_use_nsswitch(ping_t) @@ -142,7 +133,7 @@ logging_send_syslog_msg(ping_t) miscfiles_read_localization(ping_t) -userdom_use_user_terminals(ping_t) +userdom_use_inherited_user_terminals(ping_t) ifdef(`hide_broken_symptoms',` init_dontaudit_use_fds(ping_t) @@ -197,13 +188,8 @@ corenet_tcp_connect_all_ports(traceroute_t) corenet_sendrecv_all_client_packets(traceroute_t) corenet_sendrecv_traceroute_server_packets(traceroute_t) -fs_dontaudit_getattr_xattr_fs(traceroute_t) - domain_use_interactive_fds(traceroute_t) -files_read_etc_files(traceroute_t) -files_dontaudit_search_var(traceroute_t) - init_use_fds(traceroute_t) auth_use_nsswitch(traceroute_t) @@ -212,7 +198,7 @@ logging_send_syslog_msg(traceroute_t) miscfiles_read_localization(traceroute_t) -userdom_use_user_terminals(traceroute_t) +userdom_use_inherited_user_terminals(traceroute_t) #rules needed for nmap dev_read_rand(traceroute_t) -- 2.11.0