My policy has changed in the meantime, but is still based on:
A no-poetterware desktop RBAC policy
viewtopic.php?f=5&t=4153
which I posted trying to offer (an imperfect) reference to newbies.
---
WARNING: non-Gentoo users, skim through these first lines to "WARNING END", it's Gentoo specific
I just installed:
- Code: Select all
# equery l net-analyzer/wireshark
* Searching for wireshark in net-analyzer ...
[IP-] [ ] net-analyzer/wireshark-2.0.0_rc1:0/2.0.0_rc1
g0n ~ #
for which I needed to tweak the configuration in /etc/portage/package.accept_keywords (
- Code: Select all
net-analyzer/wireshark **
) and also in /etc/portage/package.mask (
added:
- Code: Select all
=net-analyzer/wireshark-1.12.8
=net-analyzer/wireshark-99999999
( the 1.12.8 was previously masked because it crashed my machine )
)
WARNING END
---
Just pick up the information that the above is about wireshark-2.0.0_rc1, which is, at the time of writing this topic, still in testing, that is: it is still unstable.
And I can see that wireshark-2 is going to be a great change. Much more easily viewed, the content in all the panes, no thick frames around panes and all that is not content is really slim, for one thing.
And I have a few computors that I still can only work on with at 800x600! Imagine what good news every pixel saved for the content is for me!
But also the internals appear to have changed. You'll figure out below, from first hand account, as the story is hands on!
Because I'm posting this to find the new policy for wireshark and for dumpcap.
If you look up my uncenz little program in action (e.g. in "SSL Decode & My Hard-Earned Advice for SPDY/HTTP2 in Firefox"), you'll see that I don't capture with Wireshark: that's too much X, all is more easily broken, but rather with dumpcap, or I could (and previously did), with pcapng, or with tcpdump, they're all libpcap based... But I do need the GUI (the Wireshark proper; dumpcap is part of its installation in *nix) to view things, at least I still need the GUI at this time.
With the net-analyzer/wireshark-1.12.7 and earlier ones, which all were pretty stable (just the net-analyzer/wireshark-1.12.8 crashed my machines), the RBAC policy below worked, and it worked great for my needs (in long time I haven't been capturing with Wireshark proper but with dumpcap/pcapng/tcpdump):
- Code: Select all
# Role: root
subject /usr/bin/dumpcap o {
user_transition_allow miro root nobody
group_transition_allow miro root nobody
/ h
/Cmn h
/Cmn/MyVideos r
/Cmn/mr rw
/dev h
/dev/bus rw
/dev/usbmon* r
/etc h
/etc/ld.so.cache r
/etc/libnl/classid r
/home h
/lib64 rx
/lib64/modules h
/sys
/sys/bus r
/sys/bus/usb/devices r
/sys/class r
/sys/class/net r
/sys/devices r
/usr h
/usr/bin h
/usr/bin/dumpcap rx
/usr/lib64 rx
-CAP_ALL
+CAP_NET_ADMIN
+CAP_NET_RAW
bind 0.0.0.0/32:0 dgram ip
connect disabled
sock_allow_family netlink
}
# Role: miro
subject /usr/bin/wireshark o {
/
/Cmn r
/Cmn/Kaff rwc
/Cmn/MyVideos/Scr rwc
/Cmn/dLo rwc
/Cmn/mr* rwc
/boot h
/dev h
/dev/sda3
/dev/random r
/dev/urandom r
/etc r
/etc/grsec h
/etc/gshadow h
/etc/gshadow- h
/etc/shadow h
/etc/shadow- h
/etc/ssh h
/home
/home/miro rwcd
# /lib/modules h
/lib64 rx
/lib64/modules h
/proc r
/proc/bus h
/proc/kallsyms h
/proc/kcore h
/proc/modules h
# /proc/mounts
/proc/slabinfo h
/sys h
/usr h
/usr/bin h
/usr/bin/dumpcap x
/usr/bin/wireshark x
/usr/lib64 rx
/usr/share r
/tmp rwcd
/var h
/var/cache h
/var/cache/fontconfig r
/var/www/localhost/htdocs rwc
-CAP_ALL
+CAP_DAC_READ_SEARCH
+CAP_NET_ADMIN
+CAP_NET_RAW
bind 0.0.0.0/32:0 dgram ip
connect disabled
sock_allow_family netlink
}
With these policies for dumpcap, and for wireshark, I had few if any issues in long months.
But that is not the case anymore.
I'll post next, the system log messages that I get when I launch Wireshark, and also when I open a file with captured traffic (some .pcap-ng file, but most people still like to keep the extension to just .pcap, even though .pcap was the old format, nowadays rarely used to my knowledge).
!