Bug 146579

Summary: nmap (traceroute_t) denials
Product: [Fedora] Fedora Reporter: Ivan Gyurdiev <ivg231>
Component: selinux-policy-strictAssignee: Daniel Walsh <dwalsh>
Status: CLOSED RAWHIDE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: rawhide   
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-02-23 01:00:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ivan Gyurdiev 2005-01-29 23:01:15 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5)
Gecko/20041228 Firefox/1.0 Fedora/1.0-8

Description of problem:
I was bored, so I decided to get some denials :)

nmap denials attached. The type of nmap is traceroute_t.
Here I am logged in as root, doing a localhost scan.

denied { read } random_device_t
denied { read } urandom_device_t
denied { read } locale_t 
denied { read } usr_t
denied { dac_override dac_read_search } self
denied { search } proc_net_t
denied { search } staff_home_dir_t

audit(1107039281.765:0): avc:  denied  { read } for  pid=4404
exe=/usr/bin/nmap name=urandom dev=tmpfs ino=562
scontext=root:sysadm_r:traceroute_t 
tcontext=system_u:object_r:urandom_device_t tclass=chr_file

audit(1107039281.766:0): avc:  denied  { read } for  pid=4404
exe=/usr/bin/nmap name=random dev=tmpfs ino=559
scontext=root:sysadm_r:traceroute_t
tcontext=system_u:object_r:random_device_t tclass=chr_file

audit(1107039281.767:0): avc:  denied  { read } for  pid=4404
exe=/usr/bin/nmap name=localtime dev=dm-0 ino=668626
scontext=root:sysadm_r:traceroute_t
tcontext=system_u:object_r:locale_t tclass=file

audit(1107039281.769:0): avc:  denied  { search } for  pid=4404
exe=/usr/bin/nmap name=root dev=dm-0 ino=81121
scontext=root:sysadm_r:traceroute_t
tcontext=root:object_r:staff_home_dir_t tclass=dir

audit(1107039281.806:0): avc:  denied  { read } for  pid=4404
exe=/usr/bin/nmap name=nmap-services dev=dm-0 ino=130597
scontext=root:sysadm_r:traceroute_t tcontext=system_u:object_r:usr_t
tclass=file

audit(1107039281.806:0): avc:  denied  { dac_override } for  pid=4404
exe=/usr/bin/nmap capability=1 scontext=root:sysadm_r:traceroute_t
tcontext=root:sysadm_r:traceroute_t tclass=capability

audit(1107039281.807:0): avc:  denied  { dac_read_search } for 
pid=4404 exe=/usr/bin/nmap capability=2
scontext=root:sysadm_r:traceroute_t
tcontext=root:sysadm_r:traceroute_t tclass=capability

audit(1107039281.812:0): avc:  denied  { search } for  pid=4404
exe=/usr/bin/nmap name=net dev=proc ino=-268435434
scontext=root:sysadm_r:traceroute_t
tcontext=system_u:object_r:proc_net_t tclass=dir

Version-Release number of selected component (if applicable):
selinux-policy-strict-1.21.5-2

How reproducible:
Didn't try

Steps to Reproduce:
  

Additional info:
Comment 1 Daniel Walsh 2005-01-31 20:55:29 UTC 
There is a policy in strict/unused for nessusd.  Which would probably work well
for what you are trying to do.  Since we don't ship nmap, we don't include this
policy.  You would have to do it your self. 

We don't support all policy files since they cause the policy file to swell.  So
we only ship policy for rpms that we ship.


Dan
Comment 2 Ivan Gyurdiev 2005-01-31 22:05:36 UTC 
Sure you do. It comes right after nkf and right before nptl-devel.

[phantom@cobra ~]$ rpm -qi nmap|grep Vendor
Version     : 3.78                              Vendor: Red Hat, Inc.
[phantom@cobra ~]$
Comment 3 Daniel Walsh 2005-01-31 22:16:42 UTC 
I guess we do.  Can you try the nessusd domain on it?

Dan
Comment 4 Daniel Walsh 2005-02-09 15:10:40 UTC 
Ok I updated traceroute policy to include privs
selinux-policy-strict-1.21.10-1
Comment 5 Ivan Gyurdiev 2005-02-09 20:38:42 UTC 
It needs an nscd_client_domain attribute, I think:

audit(1107981143.046:0): avc:  denied  { search } for  pid=18383
exe=/usr/bin/nmap name=run dev=dm-0 ino=1168164
scontext=root:sysadm_r:traceroute_t tcontext=system_u:object_r:var_run_t tclass=dir

audit(1107981143.047:0): avc:  denied  { search } for  pid=18383
exe=/usr/bin/nmap name=nscd dev=dm-0 ino=146399
scontext=root:sysadm_r:traceroute_t tcontext=system_u:object_r:nscd_var_run_t
tclass=dir

userdomain does not cover staff_home_dir_t:

audit(1107981143.048:0): avc:  denied  { search } for  pid=18383
exe=/usr/bin/nmap name=root dev=dm-0 ino=81121
scontext=root:sysadm_r:traceroute_t tcontext=root:object_r:staff_home_dir_t
tclass=dir

I think the fact I'm running this from the policy dir has
something to do with this - does it look for something in the current
directory?

audit(1107981143.178:0): avc:  denied  { search } for  pid=18383
exe=/usr/bin/nmap name=program dev=dm-0 ino=681592
scontext=root:sysadm_r:traceroute_t tcontext=system_u:object_r:policy_src_t
tclass=dir
Comment 6 Ivan Gyurdiev 2005-02-23 01:00:34 UTC 
Closing this for now.
Most denials have been fixed, I think.