From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Fri, 19 Oct 2012 20:51:25 +0200
Subject: [refpolicy] [PATCH 3/3] Support flushing routing cache
In-Reply-To: <1350672685-14472-1-git-send-email-sven.vermeulen@siphos.be>
References: <1350672685-14472-1-git-send-email-sven.vermeulen@siphos.be>
Message-ID: <1350672685-14472-4-git-send-email-sven.vermeulen@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

To flush the routing cache, ifconfig_t (through the "ip" command) requires
sys_admin capability. If not:

~# ip route flush cache
Cannot flush routing cache

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/system/sysnetwork.te |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index d11e7c5..b2bf762 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -243,7 +243,7 @@ optional_policy(`
 # Ifconfig local policy
 #
 
-allow ifconfig_t self:capability { net_raw net_admin sys_tty_config };
+allow ifconfig_t self:capability { net_raw net_admin sys_admin sys_tty_config };
 allow ifconfig_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
 allow ifconfig_t self:fd use;
 allow ifconfig_t self:fifo_file rw_fifo_file_perms;
-- 
1.7.8.6