http://mgrepl.fedorapeople.org/F15/admin_netutils.patch
* ping did not work for confined users which is fixed by these changes
* allow netutils to read network state information and request the
kernel to load a module
Hello Miroslav !
On Fri, 18/02/2011 at 16.01 +0000, Miroslav Grepl wrote:
> http://mgrepl.fedorapeople.org/F15/admin_netutils.patch
>
> * ping did not work for confined users which is fixed by these changes
> * allow netutils to read network state information and request the
> kernel to load a module
I have tested ping and traceroute from:
http://www.skbuff.net/iputils/iputils-s20101006.tar.bz2
and they appear to be working fine for confined users with the latest
reference policy (provided that ping is setuid root, which is needed for
opening a raw socket).
Also, I do not suggest that you move files_read_usr_files(traceroute_t)
further up and away from its "nmap-commented" block. For example, I got
immediately confused, I went looking into traceroute source code and
couldn't find anything that it needs to do with usr files... What would
be very nice there is a boolean for the whole nmap-related block.
Is this series of messages just an acknowledgement of what is being done
on Fedora 15 ? I suppose it is so, as dev_write_usbmon_dev() does not
make sense in refpolicy.
Regards,
Guido