From: pebenito@ieee.org (Chris PeBenito) Date: Mon, 12 Jun 2017 18:32:35 -0400 Subject: [refpolicy] [PATCH] netutils: Add some permissions required by nmap to traceroute_t In-Reply-To: <20170609035646.5abcfb5f@vega.skynet> References: <20170607160337.16186-1-aranea@aixah.de> <1a671542-b374-0b8b-3d34-dc1d2793f9fc@ieee.org> <20170608022636.1e787020@vega.skynet> <20170609035646.5abcfb5f@vega.skynet> Message-ID: <41966766-bcf8-5672-3adf-502f37f4dabe@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 06/08/2017 09:56 PM, Luis Ressel wrote: > On Thu, 8 Jun 2017 18:15:16 -0400 > Chris PeBenito wrote: > >>> Okay, I'll add a separate rule for self:socket, then. I'm curious, >>> though: Why don't you want to use the :{ ... } syntax here? >> >> I find it harder to read. For example, I missed that you added the >> socket class. What socket type is being used? Did you try enabling >> policycap extended_socket_class (assuming kernel 4.11+ and libsepol >> 2.7+)? > > Thanks for the hint; I wasn't aware of this new policycap. I tried > enabling it, but I must've done something wrong: I upgraded libse*, > checkpolicy and policycoreutils to the latest git HEAD, edited > policy/policy_capabilities and recompiled the policy. Now seinfo > --polcaps shows a new polcap "redhat1", but the denial in the audit logs > still reports the class as "socket". > > (I didn't upgrade setools, but those don't have anything to do with the > policy compilation, right? And before you ask, yes, I am on linux 4.11, > 4.11.3 to be exact). > > Any ideas? I'll have another look at this during the weekend. You need to recompile SETools, as it is statically linked to libsepol. -- Chris PeBenito