1 |
commit: ff69b7bdfeb4f532cc5867b4637b0462fa97258d |
2 |
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
3 |
AuthorDate: Sun Nov 18 07:41:07 2012 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Tue Nov 27 19:01:15 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ff69b7bd |
7 |
|
8 |
tcpdump chroots into /var/lib/tcpdump |
9 |
|
10 |
When invoking tcpdump, the application creates a netlink_socket and then chroots |
11 |
into /var/lib/tcpdump. |
12 |
|
13 |
Without the right to create a netlink_socket: |
14 |
tcpdump: Can't open netlink socket 13:Permission denied |
15 |
|
16 |
Without the right on dac_read_search and sys_chroot: |
17 |
tcpdump: Couldn't chroot/chdir to '/var/lib/tcpdump': Permission denied |
18 |
|
19 |
See also https://bugs.gentoo.org/show_bug.cgi?id=443624 |
20 |
|
21 |
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be> |
22 |
|
23 |
--- |
24 |
policy/modules/admin/netutils.te | 6 ++++-- |
25 |
1 files changed, 4 insertions(+), 2 deletions(-) |
26 |
|
27 |
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te |
28 |
index 8be4775..3526689 100644 |
29 |
--- a/policy/modules/admin/netutils.te |
30 |
+++ b/policy/modules/admin/netutils.te |
31 |
@@ -33,10 +33,11 @@ init_system_domain(traceroute_t, traceroute_exec_t) |
32 |
# |
33 |
|
34 |
# Perform network administration operations and have raw access to the network. |
35 |
-allow netutils_t self:capability { net_admin net_raw setuid setgid }; |
36 |
-dontaudit netutils_t self:capability sys_tty_config; |
37 |
+allow netutils_t self:capability { dac_read_search net_admin net_raw setuid setgid sys_chroot }; |
38 |
+dontaudit netutils_t self:capability { dac_override sys_tty_config }; |
39 |
allow netutils_t self:process { setcap signal_perms }; |
40 |
allow netutils_t self:netlink_route_socket create_netlink_socket_perms; |
41 |
+allow netutils_t self:netlink_socket create_socket_perms; |
42 |
allow netutils_t self:packet_socket create_socket_perms; |
43 |
allow netutils_t self:udp_socket create_socket_perms; |
44 |
allow netutils_t self:tcp_socket create_stream_socket_perms; |
45 |
@@ -47,6 +48,7 @@ manage_files_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t) |
46 |
files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir }) |
47 |
|
48 |
kernel_search_proc(netutils_t) |
49 |
+kernel_read_network_state(netutils_t) |
50 |
kernel_read_all_sysctls(netutils_t) |
51 |
|
52 |
corenet_all_recvfrom_unlabeled(netutils_t) |