From: aranea@aixah.de (Luis Ressel) Date: Fri, 9 Jun 2017 03:56:46 +0200 Subject: [refpolicy] [PATCH] netutils: Add some permissions required by nmap to traceroute_t In-Reply-To: References: <20170607160337.16186-1-aranea@aixah.de> <1a671542-b374-0b8b-3d34-dc1d2793f9fc@ieee.org> <20170608022636.1e787020@vega.skynet> Message-ID: <20170609035646.5abcfb5f@vega.skynet> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Thu, 8 Jun 2017 18:15:16 -0400 Chris PeBenito wrote: > > Okay, I'll add a separate rule for self:socket, then. I'm curious, > > though: Why don't you want to use the :{ ... } syntax here? > > I find it harder to read. For example, I missed that you added the > socket class. What socket type is being used? Did you try enabling > policycap extended_socket_class (assuming kernel 4.11+ and libsepol > 2.7+)? Thanks for the hint; I wasn't aware of this new policycap. I tried enabling it, but I must've done something wrong: I upgraded libse*, checkpolicy and policycoreutils to the latest git HEAD, edited policy/policy_capabilities and recompiled the policy. Now seinfo --polcaps shows a new polcap "redhat1", but the denial in the audit logs still reports the class as "socket". (I didn't upgrade setools, but those don't have anything to do with the policy compilation, right? And before you ask, yes, I am on linux 4.11, 4.11.3 to be exact). Any ideas? I'll have another look at this during the weekend. Regards, Luis Ressel -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170609/7c24c21f/attachment.bin