From: dominick.grift@gmail.com (Dominick Grift)
Date: Fri, 19 Oct 2012 21:31:55 +0200
Subject: [refpolicy] [PATCH 7/7] Shorewall needs sys_admin capability
 for manipulating network stack
In-Reply-To: <1350672840-14590-8-git-send-email-sven.vermeulen@siphos.be>
References: <1350672840-14590-1-git-send-email-sven.vermeulen@siphos.be>
	<1350672840-14590-8-git-send-email-sven.vermeulen@siphos.be>
Message-ID: <1350675115.12496.25.camel@d30.localdomain>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com



On Fri, 2012-10-19 at 20:54 +0200, Sven Vermeulen wrote:
> In order to manipulate the network stack (for instance, through the
> /proc/sys/net/ipv4/conf/*/rp_filter file for reverse path filtering), shorewall
> needs the sys_admin capability.
> 
> If not, it fails with the error message "write error: Operation not permitted".
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  shorewall.te |    2 +-
>  1 files changed, 1 insertions(+), 1 deletions(-)
> 
> diff --git a/shorewall.te b/shorewall.te
> index 4723c6b..0f26ab1 100644
> --- a/shorewall.te
> +++ b/shorewall.te
> @@ -37,7 +37,7 @@ logging_log_file(shorewall_log_t)
>  # shorewall local policy
>  #
>  
> -allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_nice sys_ptrace };
> +allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_admin sys_nice sys_ptrace };
>  dontaudit shorewall_t self:capability sys_tty_config;
>  allow shorewall_t self:fifo_file rw_fifo_file_perms;
>  

This was merged, thanks