From: pebenito@ieee.org (Chris PeBenito)
Date: Sun, 18 Jun 2017 19:25:24 -0400
Subject: [refpolicy] [PATCH v2 2/3] netutils: Add some permissions
 required by nmap to traceroute_t
In-Reply-To: <20170618225335.25973-2-aranea@aixah.de>
References: <20170618225335.25973-1-aranea@aixah.de>
	<20170618225335.25973-2-aranea@aixah.de>
Message-ID: <a39a7b70-2b9d-c282-af60-cb6427441175@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 06/18/2017 06:53 PM, Luis Ressel via refpolicy wrote:
> nmap currently also needs "self:socket create", but I've submitted a
> kernel patch to ameliorate this.
> ---
>  policy/modules/admin/netutils.te | 8 ++++++++
>  1 file changed, 8 insertions(+)
>
> diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
> index a1e23ad9..417c6cd2 100644
> --- a/policy/modules/admin/netutils.te
> +++ b/policy/modules/admin/netutils.te
> @@ -165,6 +165,7 @@ optional_policy(`
>  #
>
>  allow traceroute_t self:capability { net_admin net_raw setgid setuid };
> +allow traceroute_t self:process signal;
>  allow traceroute_t self:rawip_socket create_socket_perms;
>  allow traceroute_t self:packet_socket create_socket_perms;
>  allow traceroute_t self:udp_socket create_socket_perms;
> @@ -172,6 +173,8 @@ allow traceroute_t self:udp_socket create_socket_perms;
>  kernel_read_system_state(traceroute_t)
>  kernel_read_network_state(traceroute_t)
>
> +corecmd_search_bin(traceroute_t)
> +
>  corenet_all_recvfrom_unlabeled(traceroute_t)
>  corenet_all_recvfrom_netlabel(traceroute_t)
>  corenet_tcp_sendrecv_generic_if(traceroute_t)
> @@ -193,6 +196,7 @@ corenet_sendrecv_traceroute_server_packets(traceroute_t)
>
>  dev_read_rand(traceroute_t)
>  dev_read_urand(traceroute_t)
> +dev_read_sysfs(traceroute_t)
>
>  domain_use_interactive_fds(traceroute_t)
>
> @@ -208,3 +212,7 @@ logging_send_syslog_msg(traceroute_t)
>  miscfiles_read_localization(traceroute_t)
>
>  userdom_use_inherited_user_terminals(traceroute_t)
> +
> +# nmap searches .
> +userdom_dontaudit_search_user_home_dirs(traceroute_t)
> +userdom_dontaudit_search_user_home_content(traceroute_t)

Merged.

-- 
Chris PeBenito