From: guido@trentalancia.com (Guido Trentalancia)
Date: Sat, 19 Feb 2011 06:08:11 +0100
Subject: [refpolicy] [patch 1/1] netutils: make ping working for
 confined users
In-Reply-To: <4D5E97DA.50501@redhat.com>
References: <4D5E97DA.50501@redhat.com>
Message-ID: <1298092091.3101.52.camel@tesla.lan>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Hello Miroslav !

On Fri, 18/02/2011 at 16.01 +0000, Miroslav Grepl wrote:
> http://mgrepl.fedorapeople.org/F15/admin_netutils.patch
> 
>      * ping did not work for confined users which is fixed by these changes
>      * allow netutils to read network state information and request the 
> kernel to load a module

I have tested ping and traceroute from:

http://www.skbuff.net/iputils/iputils-s20101006.tar.bz2

and they appear to be working fine for confined users with the latest
reference policy (provided that ping is setuid root, which is needed for
opening a raw socket).

Also, I do not suggest that you move files_read_usr_files(traceroute_t)
 further up and away from its "nmap-commented" block. For example, I got
immediately confused, I went looking into traceroute source code and
couldn't find anything that it needs to do with usr files... What would
be very nice there is a boolean for the whole nmap-related block.

Is this series of messages just an acknowledgement of what is being done
on Fedora 15 ? I suppose it is so, as dev_write_usbmon_dev() does not
make sense in refpolicy.

Regards,

Guido