netutils: Add some permissions required by nmap to traceroute_t

nmap currently also needs "self:socket create", but I've submitted a
kernel patch to ameliorate this.
This commit is contained in:
Luis Ressel 2017-06-19 00:53:34 +02:00 committed by Chris PeBenito
parent afe26f2e2f
commit 261e2772d1

View File

@ -165,6 +165,7 @@ optional_policy(`
#
allow traceroute_t self:capability { net_admin net_raw setgid setuid };
allow traceroute_t self:process signal;
allow traceroute_t self:rawip_socket create_socket_perms;
allow traceroute_t self:packet_socket create_socket_perms;
allow traceroute_t self:udp_socket create_socket_perms;
@ -172,6 +173,8 @@ allow traceroute_t self:udp_socket create_socket_perms;
kernel_read_system_state(traceroute_t)
kernel_read_network_state(traceroute_t)
corecmd_search_bin(traceroute_t)
corenet_all_recvfrom_unlabeled(traceroute_t)
corenet_all_recvfrom_netlabel(traceroute_t)
corenet_tcp_sendrecv_generic_if(traceroute_t)
@ -193,6 +196,7 @@ corenet_sendrecv_traceroute_server_packets(traceroute_t)
dev_read_rand(traceroute_t)
dev_read_urand(traceroute_t)
dev_read_sysfs(traceroute_t)
domain_use_interactive_fds(traceroute_t)
@ -208,3 +212,7 @@ logging_send_syslog_msg(traceroute_t)
miscfiles_read_localization(traceroute_t)
userdom_use_inherited_user_terminals(traceroute_t)
# nmap searches .
userdom_dontaudit_search_user_home_dirs(traceroute_t)
userdom_dontaudit_search_user_home_content(traceroute_t)