From: aranea@aixah.de (Luis Ressel) Date: Mon, 19 Jun 2017 00:53:34 +0200 Subject: [refpolicy] [PATCH v2 2/3] netutils: Add some permissions required by nmap to traceroute_t In-Reply-To: <20170618225335.25973-1-aranea@aixah.de> References: <20170618225335.25973-1-aranea@aixah.de> Message-ID: <20170618225335.25973-2-aranea@aixah.de> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com nmap currently also needs "self:socket create", but I've submitted a kernel patch to ameliorate this. --- policy/modules/admin/netutils.te | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te index a1e23ad9..417c6cd2 100644 --- a/policy/modules/admin/netutils.te +++ b/policy/modules/admin/netutils.te @@ -165,6 +165,7 @@ optional_policy(` # allow traceroute_t self:capability { net_admin net_raw setgid setuid }; +allow traceroute_t self:process signal; allow traceroute_t self:rawip_socket create_socket_perms; allow traceroute_t self:packet_socket create_socket_perms; allow traceroute_t self:udp_socket create_socket_perms; @@ -172,6 +173,8 @@ allow traceroute_t self:udp_socket create_socket_perms; kernel_read_system_state(traceroute_t) kernel_read_network_state(traceroute_t) +corecmd_search_bin(traceroute_t) + corenet_all_recvfrom_unlabeled(traceroute_t) corenet_all_recvfrom_netlabel(traceroute_t) corenet_tcp_sendrecv_generic_if(traceroute_t) @@ -193,6 +196,7 @@ corenet_sendrecv_traceroute_server_packets(traceroute_t) dev_read_rand(traceroute_t) dev_read_urand(traceroute_t) +dev_read_sysfs(traceroute_t) domain_use_interactive_fds(traceroute_t) @@ -208,3 +212,7 @@ logging_send_syslog_msg(traceroute_t) miscfiles_read_localization(traceroute_t) userdom_use_inherited_user_terminals(traceroute_t) + +# nmap searches . +userdom_dontaudit_search_user_home_dirs(traceroute_t) +userdom_dontaudit_search_user_home_content(traceroute_t) -- 2.13.1