From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Mon, 18 Aug 2014 09:49:55 -0400
Subject: [refpolicy] [PATCH] Grant ping_t getattr on rawip_socket
In-Reply-To: <1403817727-15799-1-git-send-email-aranea@aixah.de>
References: <1403817727-15799-1-git-send-email-aranea@aixah.de>
Message-ID: <53F20483.4060107@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 6/26/2014 5:22 PM, Luis Ressel wrote:
> If the (sadly nearly undocumented) Linux kernel feature which allows
> specific user groups to send ICMP echos without CAP_NET_RAW
> (configurable with the sysctl net.ipv4.ping_group_range, available since
> 3.0) is used, ping needs the getattr permission of the rawip_socket
> class in order to work.
> ---
>  policy/modules/admin/netutils.te | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
> index 7aa7384..570bf2c 100644
> --- a/policy/modules/admin/netutils.te
> +++ b/policy/modules/admin/netutils.te
> @@ -110,7 +110,7 @@ allow ping_t self:capability { setuid net_raw };
>  allow ping_t self:process { getcap setcap };
>  dontaudit ping_t self:capability sys_tty_config;
>  allow ping_t self:tcp_socket create_socket_perms;
> -allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
> +allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt getattr };
>  allow ping_t self:packet_socket { create ioctl read write bind getopt setopt };
>  allow ping_t self:netlink_route_socket create_netlink_socket_perms;

Merged.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com