2017-06-08 17:11:06

by Christian Göttsche

[permalink] [raw]
Subject: [refpolicy] [PATCH] netutils: update

From: cgzones <[email protected]>

---
policy/modules/admin/netutils.fc | 1 +
policy/modules/admin/netutils.te | 20 +++-----------------
2 files changed, 4 insertions(+), 17 deletions(-)

diff --git a/policy/modules/admin/netutils.fc b/policy/modules/admin/netutils.fc
index 4f77e1cc6..54c0793f7 100644
--- a/policy/modules/admin/netutils.fc
+++ b/policy/modules/admin/netutils.fc
@@ -3,6 +3,7 @@
/usr/bin/hping2 -- gen_context(system_u:object_r:ping_exec_t,s0)
/usr/bin/iptstate -- gen_context(system_u:object_r:netutils_exec_t,s0)
/usr/bin/lft -- gen_context(system_u:object_r:traceroute_exec_t,s0)
+/usr/bin/mtr -- gen_context(system_u:object_r:traceroute_exec_t,s0)
/usr/bin/nmap -- gen_context(system_u:object_r:traceroute_exec_t,s0)
/usr/bin/ping.* -- gen_context(system_u:object_r:ping_exec_t,s0)
/usr/bin/send_arp -- gen_context(system_u:object_r:ping_exec_t,s0)
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index 4ea58479c..7ddd4d941 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -49,7 +49,6 @@ manage_dirs_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t)
manage_files_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t)
files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir })

-kernel_search_proc(netutils_t)
kernel_read_network_state(netutils_t)
kernel_read_all_sysctls(netutils_t)

@@ -73,7 +72,6 @@ fs_getattr_xattr_fs(netutils_t)

domain_use_interactive_fds(netutils_t)

-files_read_etc_files(netutils_t)
# for nscd
files_dontaudit_search_var(netutils_t)

@@ -86,9 +84,7 @@ logging_send_syslog_msg(netutils_t)

miscfiles_read_localization(netutils_t)

-term_dontaudit_use_console(netutils_t)
-userdom_use_user_terminals(netutils_t)
-userdom_use_all_users_fds(netutils_t)
+userdom_use_inherited_user_terminals(netutils_t)

optional_policy(`
nis_use_ypbind(netutils_t)
@@ -127,13 +123,8 @@ corenet_tcp_sendrecv_all_ports(ping_t)

dev_read_urand(ping_t)

-fs_dontaudit_getattr_xattr_fs(ping_t)
-
domain_use_interactive_fds(ping_t)

-files_read_etc_files(ping_t)
-files_dontaudit_search_var(ping_t)
-
kernel_read_system_state(ping_t)

auth_use_nsswitch(ping_t)
@@ -142,7 +133,7 @@ logging_send_syslog_msg(ping_t)

miscfiles_read_localization(ping_t)

-userdom_use_user_terminals(ping_t)
+userdom_use_inherited_user_terminals(ping_t)

ifdef(`hide_broken_symptoms',`
init_dontaudit_use_fds(ping_t)
@@ -197,13 +188,8 @@ corenet_tcp_connect_all_ports(traceroute_t)
corenet_sendrecv_all_client_packets(traceroute_t)
corenet_sendrecv_traceroute_server_packets(traceroute_t)

-fs_dontaudit_getattr_xattr_fs(traceroute_t)
-
domain_use_interactive_fds(traceroute_t)

-files_read_etc_files(traceroute_t)
-files_dontaudit_search_var(traceroute_t)
-
init_use_fds(traceroute_t)

auth_use_nsswitch(traceroute_t)
@@ -212,7 +198,7 @@ logging_send_syslog_msg(traceroute_t)

miscfiles_read_localization(traceroute_t)

-userdom_use_user_terminals(traceroute_t)
+userdom_use_inherited_user_terminals(traceroute_t)

#rules needed for nmap
dev_read_rand(traceroute_t)
--
2.11.0


2017-06-08 22:34:33

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH] netutils: update

On 06/08/2017 01:11 PM, Christian G?ttsche via refpolicy wrote:
> From: cgzones <[email protected]>
>
> ---
> policy/modules/admin/netutils.fc | 1 +
> policy/modules/admin/netutils.te | 20 +++-----------------
> 2 files changed, 4 insertions(+), 17 deletions(-)
>
> diff --git a/policy/modules/admin/netutils.fc b/policy/modules/admin/netutils.fc
> index 4f77e1cc6..54c0793f7 100644
> --- a/policy/modules/admin/netutils.fc
> +++ b/policy/modules/admin/netutils.fc
> @@ -3,6 +3,7 @@
> /usr/bin/hping2 -- gen_context(system_u:object_r:ping_exec_t,s0)
> /usr/bin/iptstate -- gen_context(system_u:object_r:netutils_exec_t,s0)
> /usr/bin/lft -- gen_context(system_u:object_r:traceroute_exec_t,s0)
> +/usr/bin/mtr -- gen_context(system_u:object_r:traceroute_exec_t,s0)
> /usr/bin/nmap -- gen_context(system_u:object_r:traceroute_exec_t,s0)
> /usr/bin/ping.* -- gen_context(system_u:object_r:ping_exec_t,s0)
> /usr/bin/send_arp -- gen_context(system_u:object_r:ping_exec_t,s0)
> diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
> index 4ea58479c..7ddd4d941 100644
> --- a/policy/modules/admin/netutils.te
> +++ b/policy/modules/admin/netutils.te
> @@ -49,7 +49,6 @@ manage_dirs_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t)
> manage_files_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t)
> files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir })
>
> -kernel_search_proc(netutils_t)
> kernel_read_network_state(netutils_t)
> kernel_read_all_sysctls(netutils_t)
>
> @@ -73,7 +72,6 @@ fs_getattr_xattr_fs(netutils_t)
>
> domain_use_interactive_fds(netutils_t)
>
> -files_read_etc_files(netutils_t)
> # for nscd
> files_dontaudit_search_var(netutils_t)
>
> @@ -86,9 +84,7 @@ logging_send_syslog_msg(netutils_t)
>
> miscfiles_read_localization(netutils_t)
>
> -term_dontaudit_use_console(netutils_t)
> -userdom_use_user_terminals(netutils_t)
> -userdom_use_all_users_fds(netutils_t)
> +userdom_use_inherited_user_terminals(netutils_t)
>
> optional_policy(`
> nis_use_ypbind(netutils_t)
> @@ -127,13 +123,8 @@ corenet_tcp_sendrecv_all_ports(ping_t)
>
> dev_read_urand(ping_t)
>
> -fs_dontaudit_getattr_xattr_fs(ping_t)
> -
> domain_use_interactive_fds(ping_t)
>
> -files_read_etc_files(ping_t)
> -files_dontaudit_search_var(ping_t)
> -
> kernel_read_system_state(ping_t)
>
> auth_use_nsswitch(ping_t)

I suspect many of these removals are due to auth_use_nsswitch(). I'd
prefer to keep the rules, even if they overlap auth_use_nsswitch(), as
the interface is very abstract (it's not obvious these perms are part of
the interface). If the interface implementation has to change in the
future, these rules may need to be added back.

The exception is kernel_search_proc() above, as it is also handled by
the other two kernel rules.


> @@ -142,7 +133,7 @@ logging_send_syslog_msg(ping_t)
>
> miscfiles_read_localization(ping_t)
>
> -userdom_use_user_terminals(ping_t)
> +userdom_use_inherited_user_terminals(ping_t)
>
> ifdef(`hide_broken_symptoms',`
> init_dontaudit_use_fds(ping_t)
> @@ -197,13 +188,8 @@ corenet_tcp_connect_all_ports(traceroute_t)
> corenet_sendrecv_all_client_packets(traceroute_t)
> corenet_sendrecv_traceroute_server_packets(traceroute_t)
>
> -fs_dontaudit_getattr_xattr_fs(traceroute_t)
> -
> domain_use_interactive_fds(traceroute_t)
>
> -files_read_etc_files(traceroute_t)
> -files_dontaudit_search_var(traceroute_t)
> -
> init_use_fds(traceroute_t)
>
> auth_use_nsswitch(traceroute_t)
> @@ -212,7 +198,7 @@ logging_send_syslog_msg(traceroute_t)
>
> miscfiles_read_localization(traceroute_t)
>
> -userdom_use_user_terminals(traceroute_t)
> +userdom_use_inherited_user_terminals(traceroute_t)
>
> #rules needed for nmap
> dev_read_rand(traceroute_t)
>


--
Chris PeBenito