From: aranea@aixah.de (Luis Ressel)
Date: Mon, 19 Jun 2017 00:53:34 +0200
Subject: [refpolicy] [PATCH v2 2/3] netutils: Add some permissions required
	by nmap to traceroute_t
In-Reply-To: <20170618225335.25973-1-aranea@aixah.de>
References: <20170618225335.25973-1-aranea@aixah.de>
Message-ID: <20170618225335.25973-2-aranea@aixah.de>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

nmap currently also needs "self:socket create", but I've submitted a
kernel patch to ameliorate this.
---
 policy/modules/admin/netutils.te | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index a1e23ad9..417c6cd2 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -165,6 +165,7 @@ optional_policy(`
 #
 
 allow traceroute_t self:capability { net_admin net_raw setgid setuid };
+allow traceroute_t self:process signal;
 allow traceroute_t self:rawip_socket create_socket_perms;
 allow traceroute_t self:packet_socket create_socket_perms;
 allow traceroute_t self:udp_socket create_socket_perms;
@@ -172,6 +173,8 @@ allow traceroute_t self:udp_socket create_socket_perms;
 kernel_read_system_state(traceroute_t)
 kernel_read_network_state(traceroute_t)
 
+corecmd_search_bin(traceroute_t)
+
 corenet_all_recvfrom_unlabeled(traceroute_t)
 corenet_all_recvfrom_netlabel(traceroute_t)
 corenet_tcp_sendrecv_generic_if(traceroute_t)
@@ -193,6 +196,7 @@ corenet_sendrecv_traceroute_server_packets(traceroute_t)
 
 dev_read_rand(traceroute_t)
 dev_read_urand(traceroute_t)
+dev_read_sysfs(traceroute_t)
 
 domain_use_interactive_fds(traceroute_t)
 
@@ -208,3 +212,7 @@ logging_send_syslog_msg(traceroute_t)
 miscfiles_read_localization(traceroute_t)
 
 userdom_use_inherited_user_terminals(traceroute_t)
+
+# nmap searches .
+userdom_dontaudit_search_user_home_dirs(traceroute_t)
+userdom_dontaudit_search_user_home_content(traceroute_t)
-- 
2.13.1