Allowing a User Access to an Existing Domain

Let’s continue the case study from the preceding section by observing that users other than the system administrator can’t use Nmap:

# id -Z
root:staff_r:staff_t
# nmap -sT 127.0.0.1

Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-06-01 11:13 PDT
Unable to find nmap-services!  Resorting to /etc/services
socket troubles in massping : Permission denied

The relevant AVC log message is:

avc:  denied  { create } for  pid=8940 exe=/usr/bin/nmap scontext=root:staff_r:staff_t tcontext=root:staff_r:staff_t tclass=rawip_socket

The message tells us that the staff_r role is not authorized to create a raw IP socket. We could authorize the domain to do so. But this naive approach would likely confer excessive permissions. Indeed, it’s debatable whether we should allow staff_r access to Nmap at all. But let’s presume that we do want to authorize access to Nmap without generally authorizing creation of raw IP sockets.

Warning

Unless you have a good reason, I don’t recommend that you authorize staff_r users to access Nmap. Limiting the permissions available to staff_r users is consistent with the principle of least privilege. If you do choose to authorize Nmap access, carefully consider whether to do so by using the approach explained here, which authorizes access to the entire traceroute_t domain, rather than only the Nmap program. The following section shows a more focused alternative approach.

Apparently, the problem is that staff_r is not authorized to enter the traceroute_t domain. Inspecting the traceroute.te file, we find the following two role declarations:

role sysadm_r types traceroute_t;
role system_r types traceroute_t;

Add a third declaration having the same form:

role staff_r  types traceroute_t;

To give effect to the change, load the revised policy. Then, retry Nmap:

# make load
# nmap -sT 127.0.0.1

Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-06-01 11:43 PDT
Interesting ports on bill-a31 (127.0.0.1):
(The 1658 ports scanned but not shown below are in state: closed)
PORT    STATE SERVICE
222/tcp open  rsh-spx

Nmap run completed -- 1 IP address (1 host up) scanned in 0.469 seconds

This time, Nmap works as expected.

In general, one additional step is often needed to add a user to an existing domain: a transition. In the case of the traceroute_t domain, a conditional transition exists:

ifdef(`ping.te', `
if (user_ping) {
    domain_auto_trans(unpriv_userdomain, traceroute_exec_t, traceroute_t)
    # allow access to the terminal
    allow traceroute_t { ttyfile ptyfile }:chr_file rw_file_perms;
}
')

This transition authorizes ordinary programs (programs labeled with the type unpriv_userdomain) to enter the traceroute_t domain by executing a program labeled with the traceroute_exec_t type. The Nmap program, which performs ping operations, benefits from this general-purpose transition. So we didn’t find it necessary to add a new transition. Otherwise, we might have added a transition of the form:

domain_auto_trans(staff_t, traceroute_exec_t, traceroute_t)

The allow declaration in this conditional transition authorizes processes in the traceroute_t domain to access the pseudoterminal device. This allows messages to be written directly to the device, rather than writing them via the Unix standard output or standard error devices as traceroute requires.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset