From: pebenito@ieee.org (Chris PeBenito)
Date: Sun, 18 Jun 2017 19:25:38 -0400
Subject: [refpolicy] [PATCH v2 3/3] netutils: Allow tcpdump to reduce
 its capability bounding set
In-Reply-To: <20170618225335.25973-3-aranea@aixah.de>
References: <20170618225335.25973-1-aranea@aixah.de>
	<20170618225335.25973-3-aranea@aixah.de>
Message-ID: <1bf8563e-a0ca-a8be-c4ea-e7f4f2f3190e@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 06/18/2017 06:53 PM, Luis Ressel via refpolicy wrote:
> ---
>  policy/modules/admin/netutils.te | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
> index 417c6cd2..e633f60f 100644
> --- a/policy/modules/admin/netutils.te
> +++ b/policy/modules/admin/netutils.te
> @@ -33,9 +33,9 @@ init_system_domain(traceroute_t, traceroute_exec_t)
>  #
>
>  # Perform network administration operations and have raw access to the network.
> -allow netutils_t self:capability { dac_read_search net_admin net_raw setgid setuid sys_chroot };
> +allow netutils_t self:capability { dac_read_search net_admin net_raw setgid setpcap setuid sys_chroot };
>  dontaudit netutils_t self:capability { dac_override sys_tty_config };
> -allow netutils_t self:process { setcap signal_perms };
> +allow netutils_t self:process { getcap setcap signal_perms };
>  allow netutils_t self:netlink_route_socket create_netlink_socket_perms;
>  allow netutils_t self:netlink_socket create_socket_perms;
>  # For tcpdump.

Merged.

-- 
Chris PeBenito