From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-1466804-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id 30628158021
	for <garchives@archives.gentoo.org>; Tue, 13 Dec 2022 20:55:15 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 5096EE0905;
	Tue, 13 Dec 2022 20:55:14 +0000 (UTC)
Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 32F39E0905
	for <gentoo-commits@lists.gentoo.org>; Tue, 13 Dec 2022 20:55:14 +0000 (UTC)
Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 55A0C340C7B
	for <gentoo-commits@lists.gentoo.org>; Tue, 13 Dec 2022 20:55:13 +0000 (UTC)
Received: from localhost.localdomain (localhost [IPv6:::1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id C9FB37C6
	for <gentoo-commits@lists.gentoo.org>; Tue, 13 Dec 2022 20:55:10 +0000 (UTC)
From: "Kenton Groombridge" <concord@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Kenton Groombridge" <concord@gentoo.org>
Message-ID: <1670958451.c13b9d0ad5d447db396972111c4534dbdb00e3d9.concord@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/admin/netutils.te
X-VCS-Directories: policy/modules/admin/
X-VCS-Committer: concord
X-VCS-Committer-Name: Kenton Groombridge
X-VCS-Revision: c13b9d0ad5d447db396972111c4534dbdb00e3d9
X-VCS-Branch: master
Date: Tue, 13 Dec 2022 20:55:10 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply
X-Archives-Salt: a652a910-9a4c-4b7d-bd11-705370cd4ea9
X-Archives-Hash: 188b728bbaec6e3e8f4f1ee7743af122

commit:     c13b9d0ad5d447db396972111c4534dbdb00e3d9
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Wed Dec  7 14:49:14 2022 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Tue Dec 13 19:07:31 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c13b9d0a

netutils: minor fixes for nmap and traceroute

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/admin/netutils.te | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index 3f85d1a57..85c9a33d5 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -40,6 +40,8 @@ init_system_domain(traceroute_t, traceroute_exec_t)
 allow netutils_t self:capability { dac_read_search net_admin net_raw setgid setpcap setuid sys_chroot };
 dontaudit netutils_t self:capability { dac_override sys_tty_config };
 allow netutils_t self:process { getcap setcap signal_perms };
+# netlink_generic_socket for nmap.
+allow netutils_t self:netlink_generic_socket create_socket_perms;
 allow netutils_t self:netlink_route_socket create_netlink_socket_perms;
 allow netutils_t self:netlink_socket create_socket_perms;
 # For tcpdump.
@@ -73,6 +75,8 @@ fs_getattr_xattr_fs(netutils_t)
 
 domain_use_interactive_fds(netutils_t)
 
+kernel_dontaudit_getattr_proc(netutils_t)
+
 files_read_etc_files(netutils_t)
 # for nscd
 files_dontaudit_search_var(netutils_t)
@@ -177,6 +181,7 @@ userdom_use_inherited_user_terminals(ss_t)
 allow traceroute_t self:capability { net_admin net_raw setgid setuid };
 allow traceroute_t self:fifo_file rw_inherited_fifo_file_perms;
 allow traceroute_t self:process signal;
+allow traceroute_t self:netlink_generic_socket create_socket_perms;
 allow traceroute_t self:rawip_socket create_socket_perms;
 allow traceroute_t self:packet_socket { map create_socket_perms };
 allow traceroute_t self:udp_socket create_socket_perms;