From: pebenito@ieee.org (Chris PeBenito) Date: Thu, 8 Jun 2017 18:15:16 -0400 Subject: [refpolicy] [PATCH] netutils: Add some permissions required by nmap to traceroute_t In-Reply-To: <20170608022636.1e787020@vega.skynet> References: <20170607160337.16186-1-aranea@aixah.de> <1a671542-b374-0b8b-3d34-dc1d2793f9fc@ieee.org> <20170608022636.1e787020@vega.skynet> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 06/07/2017 08:26 PM, Luis Ressel wrote: > On Wed, 7 Jun 2017 19:22:07 -0400 > Chris PeBenito wrote: > >> On 06/07/2017 12:03 PM, Luis Ressel via refpolicy wrote: >>> --- >>> policy/modules/admin/netutils.te | 13 ++++++++++--- >>> 1 file changed, 10 insertions(+), 3 deletions(-) >>> >>> diff --git a/policy/modules/admin/netutils.te >>> b/policy/modules/admin/netutils.te index 4ea58479..b5bdda2d 100644 >>> --- a/policy/modules/admin/netutils.te >>> +++ b/policy/modules/admin/netutils.te >>> @@ -171,9 +171,7 @@ optional_policy(` >>> # >>> >>> allow traceroute_t self:capability { net_admin net_raw setgid >>> setuid }; -allow traceroute_t self:rawip_socket create_socket_perms; >>> -allow traceroute_t self:packet_socket create_socket_perms; >>> -allow traceroute_t self:udp_socket create_socket_perms; >>> +allow traceroute_t self:{ packet_socket rawip_socket socket >>> udp_socket } create_socket_perms; >> >> I'd prefer not to have changes like this. > > Okay, I'll add a separate rule for self:socket, then. I'm curious, > though: Why don't you want to use the :{ ... } syntax here? I find it harder to read. For example, I missed that you added the socket class. What socket type is being used? Did you try enabling policycap extended_socket_class (assuming kernel 4.11+ and libsepol 2.7+)? >>> kernel_read_system_state(traceroute_t) >>> kernel_read_network_state(traceroute_t) >>> @@ -215,6 +213,15 @@ miscfiles_read_localization(traceroute_t) >>> userdom_use_user_terminals(traceroute_t) >>> >>> #rules needed for nmap >>> +allow traceroute_t self:process signal; >> >> This needs to go up with the other self rules. > > Okay. But while we're at this: Should we perhaps drop the whole "rules > needed for nmap" block and mix those rules with the others above? In > particular, the files_read_usr_files() rule could be moved to the other > files_ rules. I'm fine with that. >>> dev_read_rand(traceroute_t) >>> dev_read_urand(traceroute_t) >>> +dev_read_sysfs(traceroute_t) >>> + >>> +corecmd_search_bin(traceroute_t) >> >> This should go with the other corenet rules. >> > > You probably misread; this is a core*cmd* rule. True. It should go above the corenet rules. -- Chris PeBenito