From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Thu, 26 Sep 2013 10:49:07 -0400 Subject: [refpolicy] [PATCH 1/1] Allow ping to get/set capabilities In-Reply-To: <20130925182734.GB5287@siphos.be> References: <20130925182734.GB5287@siphos.be> Message-ID: <52444963.8070207@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Wed 25 Sep 2013 02:27:34 PM EDT, Sven Vermeulen wrote: > When ping is installed with capabilities instead of being marked setuid, > then the ping_t domain needs to be allowed to getcap/setcap. > > Reported-by: Luis Ressel > Signed-off-by: Sven Vermeulen > --- > policy/modules/admin/netutils.te | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te > index 557da97..cfe036a 100644 > --- a/policy/modules/admin/netutils.te > +++ b/policy/modules/admin/netutils.te > @@ -106,6 +106,8 @@ optional_policy(` > # > > allow ping_t self:capability { setuid net_raw }; > +# When ping is installed with capabilities instead of setuid > +allow ping_t self:process { getcap setcap }; > dontaudit ping_t self:capability sys_tty_config; > allow ping_t self:tcp_socket create_socket_perms; > allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt }; Merged. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com