When ping is installed with capabilities instead of being marked setuid,
then the ping_t domain needs to be allowed to getcap/setcap.
Reported-by: Luis Ressel <[email protected]>
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/admin/netutils.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index 557da97..cfe036a 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -106,6 +106,8 @@ optional_policy(`
#
allow ping_t self:capability { setuid net_raw };
+# When ping is installed with capabilities instead of setuid
+allow ping_t self:process { getcap setcap };
dontaudit ping_t self:capability sys_tty_config;
allow ping_t self:tcp_socket create_socket_perms;
allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
--
1.8.1.5
On Wed 25 Sep 2013 02:27:34 PM EDT, Sven Vermeulen wrote:
> When ping is installed with capabilities instead of being marked setuid,
> then the ping_t domain needs to be allowed to getcap/setcap.
>
> Reported-by: Luis Ressel <[email protected]>
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> policy/modules/admin/netutils.te | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
> index 557da97..cfe036a 100644
> --- a/policy/modules/admin/netutils.te
> +++ b/policy/modules/admin/netutils.te
> @@ -106,6 +106,8 @@ optional_policy(`
> #
>
> allow ping_t self:capability { setuid net_raw };
> +# When ping is installed with capabilities instead of setuid
> +allow ping_t self:process { getcap setcap };
> dontaudit ping_t self:capability sys_tty_config;
> allow ping_t self:tcp_socket create_socket_perms;
> allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
Merged.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com