From: pebenito@ieee.org (Chris PeBenito) Date: Thu, 8 Jun 2017 18:34:33 -0400 Subject: [refpolicy] [PATCH] netutils: update In-Reply-To: <20170608171106.25493-1-cgzones@googlemail.com> References: <20170608171106.25493-1-cgzones@googlemail.com> Message-ID: <197c7d7b-bdbc-e482-9662-fd9d08d75b62@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 06/08/2017 01:11 PM, Christian G?ttsche via refpolicy wrote: > From: cgzones > > --- > policy/modules/admin/netutils.fc | 1 + > policy/modules/admin/netutils.te | 20 +++----------------- > 2 files changed, 4 insertions(+), 17 deletions(-) > > diff --git a/policy/modules/admin/netutils.fc b/policy/modules/admin/netutils.fc > index 4f77e1cc6..54c0793f7 100644 > --- a/policy/modules/admin/netutils.fc > +++ b/policy/modules/admin/netutils.fc > @@ -3,6 +3,7 @@ > /usr/bin/hping2 -- gen_context(system_u:object_r:ping_exec_t,s0) > /usr/bin/iptstate -- gen_context(system_u:object_r:netutils_exec_t,s0) > /usr/bin/lft -- gen_context(system_u:object_r:traceroute_exec_t,s0) > +/usr/bin/mtr -- gen_context(system_u:object_r:traceroute_exec_t,s0) > /usr/bin/nmap -- gen_context(system_u:object_r:traceroute_exec_t,s0) > /usr/bin/ping.* -- gen_context(system_u:object_r:ping_exec_t,s0) > /usr/bin/send_arp -- gen_context(system_u:object_r:ping_exec_t,s0) > diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te > index 4ea58479c..7ddd4d941 100644 > --- a/policy/modules/admin/netutils.te > +++ b/policy/modules/admin/netutils.te > @@ -49,7 +49,6 @@ manage_dirs_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t) > manage_files_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t) > files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir }) > > -kernel_search_proc(netutils_t) > kernel_read_network_state(netutils_t) > kernel_read_all_sysctls(netutils_t) > > @@ -73,7 +72,6 @@ fs_getattr_xattr_fs(netutils_t) > > domain_use_interactive_fds(netutils_t) > > -files_read_etc_files(netutils_t) > # for nscd > files_dontaudit_search_var(netutils_t) > > @@ -86,9 +84,7 @@ logging_send_syslog_msg(netutils_t) > > miscfiles_read_localization(netutils_t) > > -term_dontaudit_use_console(netutils_t) > -userdom_use_user_terminals(netutils_t) > -userdom_use_all_users_fds(netutils_t) > +userdom_use_inherited_user_terminals(netutils_t) > > optional_policy(` > nis_use_ypbind(netutils_t) > @@ -127,13 +123,8 @@ corenet_tcp_sendrecv_all_ports(ping_t) > > dev_read_urand(ping_t) > > -fs_dontaudit_getattr_xattr_fs(ping_t) > - > domain_use_interactive_fds(ping_t) > > -files_read_etc_files(ping_t) > -files_dontaudit_search_var(ping_t) > - > kernel_read_system_state(ping_t) > > auth_use_nsswitch(ping_t) I suspect many of these removals are due to auth_use_nsswitch(). I'd prefer to keep the rules, even if they overlap auth_use_nsswitch(), as the interface is very abstract (it's not obvious these perms are part of the interface). If the interface implementation has to change in the future, these rules may need to be added back. The exception is kernel_search_proc() above, as it is also handled by the other two kernel rules. > @@ -142,7 +133,7 @@ logging_send_syslog_msg(ping_t) > > miscfiles_read_localization(ping_t) > > -userdom_use_user_terminals(ping_t) > +userdom_use_inherited_user_terminals(ping_t) > > ifdef(`hide_broken_symptoms',` > init_dontaudit_use_fds(ping_t) > @@ -197,13 +188,8 @@ corenet_tcp_connect_all_ports(traceroute_t) > corenet_sendrecv_all_client_packets(traceroute_t) > corenet_sendrecv_traceroute_server_packets(traceroute_t) > > -fs_dontaudit_getattr_xattr_fs(traceroute_t) > - > domain_use_interactive_fds(traceroute_t) > > -files_read_etc_files(traceroute_t) > -files_dontaudit_search_var(traceroute_t) > - > init_use_fds(traceroute_t) > > auth_use_nsswitch(traceroute_t) > @@ -212,7 +198,7 @@ logging_send_syslog_msg(traceroute_t) > > miscfiles_read_localization(traceroute_t) > > -userdom_use_user_terminals(traceroute_t) > +userdom_use_inherited_user_terminals(traceroute_t) > > #rules needed for nmap > dev_read_rand(traceroute_t) > -- Chris PeBenito