From: sven.vermeulen@siphos.be (Sven Vermeulen)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH 1/1] tcpdump chroots into /var/lib/tcpdump
Date: Sun, 18 Nov 2012 08:41:07 +0100 [thread overview]
Message-ID: <20121118074107.GA27263@siphos.be> (raw)
When invoking tcpdump, the application creates a netlink_socket and then chroots
into /var/lib/tcpdump.
Without the right to create a netlink_socket:
tcpdump: Can't open netlink socket 13:Permission denied
Without the right on dac_read_search and sys_chroot:
tcpdump: Couldn't chroot/chdir to '/var/lib/tcpdump': Permission denied
See also https://bugs.gentoo.org/show_bug.cgi?id=443624
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
policy/modules/admin/netutils.te | 6 ++++--
1 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index b6c221d..606948a 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -33,10 +33,11 @@ init_system_domain(traceroute_t, traceroute_exec_t)
#
# Perform network administration operations and have raw access to the network.
-allow netutils_t self:capability { net_admin net_raw setuid setgid };
-dontaudit netutils_t self:capability sys_tty_config;
+allow netutils_t self:capability { dac_read_search net_admin net_raw setuid setgid sys_chroot };
+dontaudit netutils_t self:capability { dac_override sys_tty_config };
allow netutils_t self:process { setcap signal_perms };
allow netutils_t self:netlink_route_socket create_netlink_socket_perms;
+allow netutils_t self:netlink_socket create_socket_perms;
allow netutils_t self:packet_socket create_socket_perms;
allow netutils_t self:udp_socket create_socket_perms;
allow netutils_t self:tcp_socket create_stream_socket_perms;
@@ -47,6 +48,7 @@ manage_files_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t)
files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir })
kernel_search_proc(netutils_t)
+kernel_read_network_state(netutils_t)
kernel_read_all_sysctls(netutils_t)
corenet_all_recvfrom_unlabeled(netutils_t)
--
1.7.8.6
next reply other threads:[~2012-11-18 7:41 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-11-18 7:41 Sven Vermeulen [this message]
2012-11-27 14:28 ` [refpolicy] [PATCH 1/1] tcpdump chroots into /var/lib/tcpdump Christopher J. PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20121118074107.GA27263@siphos.be \
--to=sven.vermeulen@siphos.be \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.