لطفا منتظر باشید ...
9.7 Allowing a User Access to an Existing Domain
Let's continue the case study from the preceding
section by observing that users other
than the system administrator
can't use Nmap:
#id -ZThe relevant AVC log message is:
root:staff_r:staff_t
#nmap -sT 127.0.0.1
Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-06-01 11:13 PDT
Unable to find nmap-services! Resorting to /etc/services
socket troubles in massping : Permission denied
avc: denied { create } for pid=8940 exe=/usr/bin/nmap scontext=root:staff_r:staff_t tcontext=root:staff_r:staff_t tclass=rawip_socketThe message tells us that the staff_rrole is not
authorized to create a raw IP socket. We could authorize the domain
to do so. But this naive approach would likely confer excessive
permissions. Indeed, it's debatable whether we
should allow staff_r
access to Nmap at all. But
let's presume that we do want to authorize access to
Nmap without generally authorizing creation of raw IP sockets.
Unless you have a good reason, I don't recommend
that you authorize staff_r
users to access Nmap.
Limiting the permissions available to staff_r
users is consistent with the principle of least privilege. If you do
choose to authorize Nmap access, carefully consider whether to do so
by using the approach explained here, which authorizes access to the
entire traceroute_t
domain, rather than only the
Nmap program. The following section shows a more focused alternative
approach.Apparently, the problem is that staff_r
is not
authorized to enter the
traceroute_t
domain. Inspecting the
traceroute.te file, we find the following two
role declarations:
role sysadm_r types traceroute_t;Add a third declaration having the same form:
role system_r types traceroute_t;
role staff_r types traceroute_t;To give effect to the change, load the revised policy. Then, retry
Nmap:
#make loadThis time, Nmap works as expected.In general, one additional step is often needed to add a user to an
#nmap -sT 127.0.0.1
Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-06-01 11:43 PDT
Interesting ports on bill-a31 (127.0.0.1):
(The 1658 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
222/tcp open rsh-spx
Nmap run completed -- 1 IP address (1 host up) scanned in 0.469 seconds
existing domain: a transition. In the case of the
traceroute_t
domain, a conditional transition
exists:
ifdef(`ping.te', `This transition authorizes ordinary programs (programs labeled with
if (user_ping) {
domain_auto_trans(unpriv_userdomain, traceroute_exec_t, traceroute_t)
# allow access to the terminal
allow traceroute_t { ttyfile ptyfile }:chr_file rw_file_perms;
}
')
the type unpriv_userdomain
) to enter the
traceroute_t
domain by executing a program labeled
with the traceroute_exec_t
type. The Nmap program,
which performs ping operations, benefits from
this general-purpose transition. So we didn't find
it necessary to add a new transition. Otherwise, we might have added
a transition of the form:
domain_auto_trans(staff_t, traceroute_exec_t, traceroute_t)The allow
declaration in this conditional transition
authorizes processes in the traceroute_t
domain to
access the pseudoterminal device. This allows messages to be written
directly to the device, rather than writing them via the Unix
standard output or standard error devices as
traceroute requires.
