From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Tue, 05 Oct 2010 15:11:35 -0400 Subject: [refpolicy] [ patch 15/44] netutils: permission sets. In-Reply-To: <1286216636-28449-17-git-send-email-domg472@gmail.com> References: <1286216636-28449-1-git-send-email-domg472@gmail.com> <1286216636-28449-17-git-send-email-domg472@gmail.com> Message-ID: <4CAB7867.6080106@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 10/04/10 14:23, Dominick Grift wrote: > > Signed-off-by: Dominick Grift Merged. > :100644 100644 aea8626... de06947... M policy/modules/admin/netutils.te > policy/modules/admin/netutils.te | 4 ++-- > 1 files changed, 2 insertions(+), 2 deletions(-) > > diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te > index aea8626..de06947 100644 > --- a/policy/modules/admin/netutils.te > +++ b/policy/modules/admin/netutils.te > @@ -35,8 +35,8 @@ init_system_domain(traceroute_t, traceroute_exec_t) > # Perform network administration operations and have raw access to the network. > allow netutils_t self:capability { net_admin net_raw setuid setgid }; > dontaudit netutils_t self:capability sys_tty_config; > -allow netutils_t self:process { sigkill sigstop signull signal }; > -allow netutils_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write }; > +allow netutils_t self:process signal_perms; > +allow netutils_t self:netlink_route_socket create_netlink_socket_perms; > allow netutils_t self:packet_socket create_socket_perms; > allow netutils_t self:udp_socket create_socket_perms; > allow netutils_t self:tcp_socket create_stream_socket_perms; -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com