Bug 146579
Summary: | nmap (traceroute_t) denials | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Ivan Gyurdiev <ivg231> |
Component: | selinux-policy-strict | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED RAWHIDE | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | rawhide | ||
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | i386 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2005-02-23 01:00:34 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Ivan Gyurdiev
2005-01-29 23:01:15 UTC
There is a policy in strict/unused for nessusd. Which would probably work well for what you are trying to do. Since we don't ship nmap, we don't include this policy. You would have to do it your self. We don't support all policy files since they cause the policy file to swell. So we only ship policy for rpms that we ship. Dan Sure you do. It comes right after nkf and right before nptl-devel. [phantom@cobra ~]$ rpm -qi nmap|grep Vendor Version : 3.78 Vendor: Red Hat, Inc. [phantom@cobra ~]$ I guess we do. Can you try the nessusd domain on it? Dan Ok I updated traceroute policy to include privs selinux-policy-strict-1.21.10-1 It needs an nscd_client_domain attribute, I think: audit(1107981143.046:0): avc: denied { search } for pid=18383 exe=/usr/bin/nmap name=run dev=dm-0 ino=1168164 scontext=root:sysadm_r:traceroute_t tcontext=system_u:object_r:var_run_t tclass=dir audit(1107981143.047:0): avc: denied { search } for pid=18383 exe=/usr/bin/nmap name=nscd dev=dm-0 ino=146399 scontext=root:sysadm_r:traceroute_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir userdomain does not cover staff_home_dir_t: audit(1107981143.048:0): avc: denied { search } for pid=18383 exe=/usr/bin/nmap name=root dev=dm-0 ino=81121 scontext=root:sysadm_r:traceroute_t tcontext=root:object_r:staff_home_dir_t tclass=dir I think the fact I'm running this from the policy dir has something to do with this - does it look for something in the current directory? audit(1107981143.178:0): avc: denied { search } for pid=18383 exe=/usr/bin/nmap name=program dev=dm-0 ino=681592 scontext=root:sysadm_r:traceroute_t tcontext=system_u:object_r:policy_src_t tclass=dir Closing this for now. Most denials have been fixed, I think. |