commit: 385048b24a6639c4a51573409f2b4c42692827b3
Author: Sven Vermeulen <swift <AT> gentoo <DOT> org>
AuthorDate: Sat Oct 10 12:08:03 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 24 15:45:30 2016 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=385048b2
Manage tun/tap interfaces
We need the relabelfrom/relabelto rights, otherwise tun/tap interface
activities fail:
~# tunctl -d tap0
TUNSETIFF: Permission denied
policy/modules/system/userdomain.if | 3 +++
1 file changed, 3 insertions(+)
diff --git a/policy/modules/system/userdomain.if
b/policy/modules/system/userdomain.if
index bf78a2b..1572b51 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1300,6 +1300,9 @@ template(`userdom_admin_user_template',`
seutil_relabelto_bin_policy($1_t)
# allow to manage chr_files in user_tmp (for initrd's)
userdom_manage_user_tmp_chr_files($1_t)
+ # allow managing tun/tap interfaces (labeling)
+ # without this operations such as tunctl -d tap0 result in a
TUNSETIFF: Device or resource busy
+ allow $1_t self:tun_socket { relabelfrom relabelto };
')
')
