Let’s continue the case study from the preceding section by observing that users other than the system administrator can’t use Nmap:
#id -Z
root:staff_r:staff_t #nmap -sT 127.0.0.1
Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-06-01 11:13 PDT Unable to find nmap-services! Resorting to /etc/services socket troubles in massping : Permission denied
The relevant AVC log message is:
avc: denied { create } for pid=8940 exe=/usr/bin/nmap scontext=root:staff_r:staff_t tcontext=root:staff_r:staff_t tclass=rawip_socket
The message tells us that the
staff_r
role is not
authorized to create a raw IP socket. We could authorize the domain
to do so. But this naive approach would likely confer excessive
permissions. Indeed, it’s debatable whether we
should allow staff_r
access to Nmap at all. But
let’s presume that we do want to authorize access to
Nmap without generally authorizing creation of raw IP sockets.
Unless you have a good reason, I don’t recommend
that you authorize staff_r
users to access Nmap.
Limiting the permissions available to staff_r
users is consistent with the principle of least privilege. If you do
choose to authorize Nmap access, carefully consider whether to do so
by using the approach explained here, which authorizes access to the
entire traceroute_t
domain, rather than only the
Nmap program. The following section shows a more focused alternative
approach.
Apparently, the problem is that staff_r
is not
authorized to enter the
traceroute_t
domain. Inspecting the
traceroute.te
file, we find the following two
role declarations:
role sysadm_r types traceroute_t; role system_r types traceroute_t;
Add a third declaration having the same form:
role staff_r types traceroute_t;
To give effect to the change, load the revised policy. Then, retry Nmap:
#make load
#nmap -sT 127.0.0.1
Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-06-01 11:43 PDT Interesting ports on bill-a31 (127.0.0.1): (The 1658 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 222/tcp open rsh-spx Nmap run completed -- 1 IP address (1 host up) scanned in 0.469 seconds
This time, Nmap works as expected.
In general, one additional step is often needed to add a user to an
existing domain: a transition. In the case of the
traceroute_t
domain, a conditional transition
exists:
ifdef(`ping.te', ` if (user_ping) { domain_auto_trans(unpriv_userdomain, traceroute_exec_t, traceroute_t) # allow access to the terminal allow traceroute_t { ttyfile ptyfile }:chr_file rw_file_perms; } ')
This transition authorizes ordinary programs (programs labeled with
the type unpriv_userdomain
) to enter the
traceroute_t
domain by executing a program labeled
with the traceroute_exec_t
type. The Nmap program,
which performs ping operations, benefits from
this general-purpose transition. So we didn’t find
it necessary to add a new transition. Otherwise, we might have added
a transition of the form:
domain_auto_trans(staff_t, traceroute_exec_t, traceroute_t)
The allow
declaration in this conditional transition
authorizes processes in the traceroute_t
domain to
access the pseudoterminal device. This allows messages to be written
directly to the device, rather than writing them via the Unix
standard output or standard error devices as
traceroute
requires.