From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Wed, 25 Sep 2013 20:27:34 +0200
Subject: [refpolicy] [PATCH 1/1] Allow ping to get/set capabilities
Message-ID: <20130925182734.GB5287@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

When ping is installed with capabilities instead of being marked setuid,
then the ping_t domain needs to be allowed to getcap/setcap.

Reported-by: Luis Ressel <aranea@aixah.de>
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/admin/netutils.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index 557da97..cfe036a 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -106,6 +106,8 @@ optional_policy(`
 #
 
 allow ping_t self:capability { setuid net_raw };
+# When ping is installed with capabilities instead of setuid
+allow ping_t self:process { getcap setcap };
 dontaudit ping_t self:capability sys_tty_config;
 allow ping_t self:tcp_socket create_socket_perms;
 allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
-- 
1.8.1.5