From: aranea@aixah.de (Luis Ressel)
Date: Mon, 19 Jun 2017 00:53:35 +0200
Subject: [refpolicy] [PATCH v2 3/3] netutils: Allow tcpdump to reduce its
	capability bounding set
In-Reply-To: <20170618225335.25973-1-aranea@aixah.de>
References: <20170618225335.25973-1-aranea@aixah.de>
Message-ID: <20170618225335.25973-3-aranea@aixah.de>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

---
 policy/modules/admin/netutils.te | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index 417c6cd2..e633f60f 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -33,9 +33,9 @@ init_system_domain(traceroute_t, traceroute_exec_t)
 #
 
 # Perform network administration operations and have raw access to the network.
-allow netutils_t self:capability { dac_read_search net_admin net_raw setgid setuid sys_chroot };
+allow netutils_t self:capability { dac_read_search net_admin net_raw setgid setpcap setuid sys_chroot };
 dontaudit netutils_t self:capability { dac_override sys_tty_config };
-allow netutils_t self:process { setcap signal_perms };
+allow netutils_t self:process { getcap setcap signal_perms };
 allow netutils_t self:netlink_route_socket create_netlink_socket_perms;
 allow netutils_t self:netlink_socket create_socket_perms;
 # For tcpdump.
-- 
2.13.1