diff options
| author | Wenzong Fan <wenzong.fan@windriver.com> | 2014-01-28 02:54:29 -0500 |
|---|---|---|
| committer | Xin Ouyang <xin.ouyang@windriver.com> | 2014-01-28 16:41:59 +0800 |
| commit | 13266999932edaa334b24c18c79815eb19559b86 (patch) | |
| tree | 2e3c40202c0782cc660e4bfd9e57b3a3d567f0f0 | |
| parent | 271955d346f305b196f069d9dc46db16c43678de (diff) | |
| download | meta-selinux-13266999932edaa334b24c18c79815eb19559b86.tar.gz | |
refpolicy: Allow ping to get/set capabilities
When ping is installed with capabilities instead of being marked setuid,
then the ping_t domain needs to be allowed to getcap/setcap.
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Xin Ouyang <xin.ouyang@windriver.com>
| -rw-r--r-- | recipes-security/refpolicy/refpolicy-2.20130424/Allow-ping-to-get-set-capabilities.patch | 32 | ||||
| -rw-r--r-- | recipes-security/refpolicy/refpolicy_2.20130424.inc | 4 |
2 files changed, 36 insertions, 0 deletions
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/Allow-ping-to-get-set-capabilities.patch b/recipes-security/refpolicy/refpolicy-2.20130424/Allow-ping-to-get-set-capabilities.patch new file mode 100644 index 0000000..fced84a --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20130424/Allow-ping-to-get-set-capabilities.patch | |||
| @@ -0,0 +1,32 @@ | |||
| 1 | From 56c43144d7dcf5fec969c9aa9cb97679ccad50cc Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Sven Vermeulen <sven.vermeulen@siphos.be> | ||
| 3 | Date: Wed, 25 Sep 2013 20:27:34 +0200 | ||
| 4 | Subject: [PATCH] Allow ping to get/set capabilities | ||
| 5 | |||
| 6 | When ping is installed with capabilities instead of being marked setuid, | ||
| 7 | then the ping_t domain needs to be allowed to getcap/setcap. | ||
| 8 | |||
| 9 | Reported-by: Luis Ressel <aranea@aixah.de> | ||
| 10 | Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be> | ||
| 11 | |||
| 12 | Upstream-Status: backport | ||
| 13 | --- | ||
| 14 | policy/modules/admin/netutils.te | 2 ++ | ||
| 15 | 1 file changed, 2 insertions(+) | ||
| 16 | |||
| 17 | diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te | ||
| 18 | index 557da97..cfe036a 100644 | ||
| 19 | --- a/policy/modules/admin/netutils.te | ||
| 20 | +++ b/policy/modules/admin/netutils.te | ||
| 21 | @@ -106,6 +106,8 @@ optional_policy(` | ||
| 22 | # | ||
| 23 | |||
| 24 | allow ping_t self:capability { setuid net_raw }; | ||
| 25 | +# When ping is installed with capabilities instead of setuid | ||
| 26 | +allow ping_t self:process { getcap setcap }; | ||
| 27 | dontaudit ping_t self:capability sys_tty_config; | ||
| 28 | allow ping_t self:tcp_socket create_socket_perms; | ||
| 29 | allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt }; | ||
| 30 | -- | ||
| 31 | 1.7.10.4 | ||
| 32 | |||
diff --git a/recipes-security/refpolicy/refpolicy_2.20130424.inc b/recipes-security/refpolicy/refpolicy_2.20130424.inc index cb1dec6..4b618b2 100644 --- a/recipes-security/refpolicy/refpolicy_2.20130424.inc +++ b/recipes-security/refpolicy/refpolicy_2.20130424.inc | |||
| @@ -52,4 +52,8 @@ SRC_URI += "file://poky-policy-fix-xconsole_device_t-as-a-dev_node.patch \ | |||
| 52 | file://poky-policy-fix-dmesg-to-use-dev-kmsg.patch \ | 52 | file://poky-policy-fix-dmesg-to-use-dev-kmsg.patch \ |
| 53 | " | 53 | " |
| 54 | 54 | ||
| 55 | # Backport from upstream | ||
| 56 | SRC_URI += "file://Allow-ping-to-get-set-capabilities.patch \ | ||
| 57 | " | ||
| 58 | |||
| 55 | include refpolicy_common.inc | 59 | include refpolicy_common.inc |