9.7 Allowing a User Access to an Existing Domain

9.7 Allowing a User Access to an Existing Domain

Let's continue the case study from the preceding section by observing that users other than the system administrator can't use Nmap:

 #  id -Z  root:staff_r:staff_t #  nmap -sT 127.0.0.1  Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-06-01 11:13 PDT Unable to find nmap-services!  Resorting to /etc/services socket troubles in massping : Permission denied 

The relevant AVC log message is:

 avc:  denied  { create } for  pid=8940 exe=/usr/bin/nmap scontext=root:staff_r:staff_t tcontext=root:staff_r:staff_t tclass=rawip_socket 

The message tells us that the staff_r role is not authorized to create a raw IP socket. We could authorize the domain to do so. But this naive approach would likely confer excessive permissions. Indeed, it's debatable whether we should allow staff_r access to Nmap at all. But let's presume that we do want to authorize access to Nmap without generally authorizing creation of raw IP sockets.

Unless you have a good reason, I don't recommend that you authorize staff_r users to access Nmap. Limiting the permissions available to staff_r users is consistent with the principle of least privilege. If you do choose to authorize Nmap access, carefully consider whether to do so by using the approach explained here, which authorizes access to the entire traceroute_t domain, rather than only the Nmap program. The following section shows a more focused alternative approach.

Apparently, the problem is that staff_r is not authorized to enter the traceroute_t domain. Inspecting the traceroute.te file, we find the following two role declarations:

 role sysadm_r types traceroute_t; role system_r types traceroute_t; 

Add a third declaration having the same form:

 role staff_r  types traceroute_t; 

To give effect to the change, load the revised policy. Then, retry Nmap:

 #  make load  #  nmap -sT 127.0.0.1  Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-06-01 11:43 PDT Interesting ports on bill-a31 (127.0.0.1): (The 1658 ports scanned but not shown below are in state: closed) PORT    STATE SERVICE 222/tcp open  rsh-spx Nmap run completed -- 1 IP address (1 host up) scanned in 0.469 seconds 

This time, Nmap works as expected.

In general, one additional step is often needed to add a user to an existing domain: a transition. In the case of the traceroute_t domain, a conditional transition exists:

 ifdef(`ping.te', ` if (user_ping) {     domain_auto_trans(unpriv_userdomain, traceroute_exec_t, traceroute_t)     # allow access to the terminal     allow traceroute_t { ttyfile ptyfile }:chr_file rw_file_perms; } ') 

This transition authorizes ordinary programs (programs labeled with the type unpriv_userdomain ) to enter the traceroute_t domain by executing a program labeled with the traceroute_exec_t type. The Nmap program, which performs ping operations, benefits from this general-purpose transition. So we didn't find it necessary to add a new transition. Otherwise, we might have added a transition of the form:

 domain_auto_trans(staff_t, traceroute_exec_t, traceroute_t) 

The allow declaration in this conditional transition authorizes processes in the traceroute_t domain to access the pseudoterminal device. This allows messages to be written directly to the device, rather than writing them via the Unix standard output or standard error devices as traceroute requires.