Allowing a User Access to an Existing Domain
Let’s continue the case study from the preceding section by observing that users other than the system administrator can’t use Nmap:
#id -Z
root:staff_r:staff_t #nmap -sT 127.0.0.1
Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-06-01 11:13 PDT Unable to find nmap-services! Resorting to /etc/services socket troubles in massping : Permission denied
The relevant AVC log message is:
avc: denied { create } for pid=8940 exe=/usr/bin/nmap scontext=root:staff_r:staff_t tcontext=root:staff_r:staff_t tclass=rawip_socket
The message tells us that the
staff_r
role is not
authorized to create a raw IP socket. We could authorize the domain
to do so. But this naive approach would likely confer excessive
permissions. Indeed, it’s debatable whether we
should allow staff_r
access to Nmap at all. But
let’s presume that we do want to authorize access to
Nmap without generally authorizing creation of raw IP sockets.
Warning
Unless you have a good reason, I don’t recommend
that you authorize staff_r
users to access Nmap.
Limiting the permissions available to staff_r
users is consistent with the principle of least privilege. If you do
choose to authorize Nmap access, carefully consider whether to do so
by using the approach explained here, which authorizes access to the
entire traceroute_t
domain, rather than only the
Nmap program. The following section shows a more focused alternative
approach.
Apparently, the problem is that staff_r
is not authorized ...
Get SELinux now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.