commit: ed4c234f64e2e952f796563b8a7bb4a23b3210cc
Author: Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Thu Jun 26 21:22:07 2014 +0000
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Tue Aug 19 20:06:36 2014 +0000
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ed4c234f
Grant ping_t getattr on rawip_socket
If the (sadly nearly undocumented) Linux kernel feature which allows
specific user groups to send ICMP echos without CAP_NET_RAW
(configurable with the sysctl net.ipv4.ping_group_range, available since
3.0) is used, ping needs the getattr permission of the rawip_socket
class in order to work.
---
policy/modules/admin/netutils.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index 7aa7384..570bf2c 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -110,7 +110,7 @@ allow ping_t self:capability { setuid net_raw };
allow ping_t self:process { getcap setcap };
dontaudit ping_t self:capability sys_tty_config;
allow ping_t self:tcp_socket create_socket_perms;
-allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
+allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt
getattr };
allow ping_t self:packet_socket { create ioctl read write bind getopt setopt };
allow ping_t self:netlink_route_socket create_netlink_socket_perms;
