commit: c13b9d0ad5d447db396972111c4534dbdb00e3d9
Author: Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Wed Dec 7 14:49:14 2022 +0000
Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Tue Dec 13 19:07:31 2022 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c13b9d0a
netutils: minor fixes for nmap and traceroute
Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>
policy/modules/admin/netutils.te | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index 3f85d1a57..85c9a33d5 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -40,6 +40,8 @@ init_system_domain(traceroute_t, traceroute_exec_t)
allow netutils_t self:capability { dac_read_search net_admin net_raw setgid
setpcap setuid sys_chroot };
dontaudit netutils_t self:capability { dac_override sys_tty_config };
allow netutils_t self:process { getcap setcap signal_perms };
+# netlink_generic_socket for nmap.
+allow netutils_t self:netlink_generic_socket create_socket_perms;
allow netutils_t self:netlink_route_socket create_netlink_socket_perms;
allow netutils_t self:netlink_socket create_socket_perms;
# For tcpdump.
@@ -73,6 +75,8 @@ fs_getattr_xattr_fs(netutils_t)
domain_use_interactive_fds(netutils_t)
+kernel_dontaudit_getattr_proc(netutils_t)
+
files_read_etc_files(netutils_t)
# for nscd
files_dontaudit_search_var(netutils_t)
@@ -177,6 +181,7 @@ userdom_use_inherited_user_terminals(ss_t)
allow traceroute_t self:capability { net_admin net_raw setgid setuid };
allow traceroute_t self:fifo_file rw_inherited_fifo_file_perms;
allow traceroute_t self:process signal;
+allow traceroute_t self:netlink_generic_socket create_socket_perms;
allow traceroute_t self:rawip_socket create_socket_perms;
allow traceroute_t self:packet_socket { map create_socket_perms };
allow traceroute_t self:udp_socket create_socket_perms;
