| 1 |
commit: ff69b7bdfeb4f532cc5867b4637b0462fa97258d |
| 2 |
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
| 3 |
AuthorDate: Sun Nov 18 07:41:07 2012 +0000 |
| 4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
| 5 |
CommitDate: Tue Nov 27 19:01:15 2012 +0000 |
| 6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ff69b7bd |
| 7 |
|
| 8 |
tcpdump chroots into /var/lib/tcpdump |
| 9 |
|
| 10 |
When invoking tcpdump, the application creates a netlink_socket and then chroots |
| 11 |
into /var/lib/tcpdump. |
| 12 |
|
| 13 |
Without the right to create a netlink_socket: |
| 14 |
tcpdump: Can't open netlink socket 13:Permission denied |
| 15 |
|
| 16 |
Without the right on dac_read_search and sys_chroot: |
| 17 |
tcpdump: Couldn't chroot/chdir to '/var/lib/tcpdump': Permission denied |
| 18 |
|
| 19 |
See also https://bugs.gentoo.org/show_bug.cgi?id=443624 |
| 20 |
|
| 21 |
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be> |
| 22 |
|
| 23 |
--- |
| 24 |
policy/modules/admin/netutils.te | 6 ++++-- |
| 25 |
1 files changed, 4 insertions(+), 2 deletions(-) |
| 26 |
|
| 27 |
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te |
| 28 |
index 8be4775..3526689 100644 |
| 29 |
--- a/policy/modules/admin/netutils.te |
| 30 |
+++ b/policy/modules/admin/netutils.te |
| 31 |
@@ -33,10 +33,11 @@ init_system_domain(traceroute_t, traceroute_exec_t) |
| 32 |
# |
| 33 |
|
| 34 |
# Perform network administration operations and have raw access to the network. |
| 35 |
-allow netutils_t self:capability { net_admin net_raw setuid setgid }; |
| 36 |
-dontaudit netutils_t self:capability sys_tty_config; |
| 37 |
+allow netutils_t self:capability { dac_read_search net_admin net_raw setuid setgid sys_chroot }; |
| 38 |
+dontaudit netutils_t self:capability { dac_override sys_tty_config }; |
| 39 |
allow netutils_t self:process { setcap signal_perms }; |
| 40 |
allow netutils_t self:netlink_route_socket create_netlink_socket_perms; |
| 41 |
+allow netutils_t self:netlink_socket create_socket_perms; |
| 42 |
allow netutils_t self:packet_socket create_socket_perms; |
| 43 |
allow netutils_t self:udp_socket create_socket_perms; |
| 44 |
allow netutils_t self:tcp_socket create_stream_socket_perms; |
| 45 |
@@ -47,6 +48,7 @@ manage_files_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t) |
| 46 |
files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir }) |
| 47 |
|
| 48 |
kernel_search_proc(netutils_t) |
| 49 |
+kernel_read_network_state(netutils_t) |
| 50 |
kernel_read_all_sysctls(netutils_t) |
| 51 |
|
| 52 |
corenet_all_recvfrom_unlabeled(netutils_t) |
Archives