From: guido@trentalancia.com (Guido Trentalancia) Date: Fri, 09 Jun 2017 17:32:57 +0200 Subject: [refpolicy] [PATCH] netutils: update In-Reply-To: <20170609133024.7315-1-cgzones@googlemail.com> References: <20170609133024.7315-1-cgzones@googlemail.com> Message-ID: <1497022377.4707.2.camel@trentalancia.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Yes, it is definitely better to keep files_read_etc_files() even if it is included in other interfaces... I think you recently removed it from other modules too. Iptables is one of them (yesterday). Please, reintroduce it there too. Regards, Guido On Fri, 09/06/2017 at 15.30 +0200, Christian G?ttsche via refpolicy wrote: > From: cgzones > > v2: > - keep files_read_etc_files interfaces > > --- > policy/modules/admin/netutils.fc | 1 + > policy/modules/admin/netutils.te | 15 +++------------ > 2 files changed, 4 insertions(+), 12 deletions(-) > > diff --git a/policy/modules/admin/netutils.fc > b/policy/modules/admin/netutils.fc > index 4f77e1cc6..54c0793f7 100644 > --- a/policy/modules/admin/netutils.fc > +++ b/policy/modules/admin/netutils.fc > @@ -3,6 +3,7 @@ > /usr/bin/hping2 -- gen_context(system_u:object > _r:ping_exec_t,s0) > /usr/bin/iptstate -- gen_context(system_u:object_r:net > utils_exec_t,s0) > /usr/bin/lft -- gen_context(system_u:object_r: > traceroute_exec_t,s0) > +/usr/bin/mtr -- gen_context(system_u:object_r: > traceroute_exec_t,s0) > /usr/bin/nmap -- gen_context(system_u:object_r > :traceroute_exec_t,s0) > /usr/bin/ping.* -- gen_context(system_u:object_r:ping > _exec_t,s0) > /usr/bin/send_arp -- gen_context(system_u:object_r:pin > g_exec_t,s0) > diff --git a/policy/modules/admin/netutils.te > b/policy/modules/admin/netutils.te > index 4ea58479c..8f8f98042 100644 > --- a/policy/modules/admin/netutils.te > +++ b/policy/modules/admin/netutils.te > @@ -49,7 +49,6 @@ manage_dirs_pattern(netutils_t, netutils_tmp_t, > netutils_tmp_t) > manage_files_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t) > files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir }) > > -kernel_search_proc(netutils_t) > kernel_read_network_state(netutils_t) > kernel_read_all_sysctls(netutils_t) > > @@ -86,9 +85,7 @@ logging_send_syslog_msg(netutils_t) > > miscfiles_read_localization(netutils_t) > > -term_dontaudit_use_console(netutils_t) > -userdom_use_user_terminals(netutils_t) > -userdom_use_all_users_fds(netutils_t) > +userdom_use_inherited_user_terminals(netutils_t) > > optional_policy(` > nis_use_ypbind(netutils_t) > @@ -127,12 +124,9 @@ corenet_tcp_sendrecv_all_ports(ping_t) > > dev_read_urand(ping_t) > > -fs_dontaudit_getattr_xattr_fs(ping_t) > - > domain_use_interactive_fds(ping_t) > > files_read_etc_files(ping_t) > -files_dontaudit_search_var(ping_t) > > kernel_read_system_state(ping_t) > > @@ -142,7 +136,7 @@ logging_send_syslog_msg(ping_t) > > miscfiles_read_localization(ping_t) > > -userdom_use_user_terminals(ping_t) > +userdom_use_inherited_user_terminals(ping_t) > > ifdef(`hide_broken_symptoms',` > init_dontaudit_use_fds(ping_t) > @@ -197,12 +191,9 @@ corenet_tcp_connect_all_ports(traceroute_t) > corenet_sendrecv_all_client_packets(traceroute_t) > corenet_sendrecv_traceroute_server_packets(traceroute_t) > > -fs_dontaudit_getattr_xattr_fs(traceroute_t) > - > domain_use_interactive_fds(traceroute_t) > > files_read_etc_files(traceroute_t) > -files_dontaudit_search_var(traceroute_t) > > init_use_fds(traceroute_t) > > @@ -212,7 +203,7 @@ logging_send_syslog_msg(traceroute_t) > > miscfiles_read_localization(traceroute_t) > > -userdom_use_user_terminals(traceroute_t) > +userdom_use_inherited_user_terminals(traceroute_t) > > #rules needed for nmap > dev_read_rand(traceroute_t)