[refpolicy] [PATCH] Grant ping_t getattr on rawip_socket

Christopher J. PeBenito cpebenito at tresys.com
Mon Aug 18 09:49:55 EDT 2014


On 6/26/2014 5:22 PM, Luis Ressel wrote:
> If the (sadly nearly undocumented) Linux kernel feature which allows
> specific user groups to send ICMP echos without CAP_NET_RAW
> (configurable with the sysctl net.ipv4.ping_group_range, available since
> 3.0) is used, ping needs the getattr permission of the rawip_socket
> class in order to work.
> ---
>  policy/modules/admin/netutils.te | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
> index 7aa7384..570bf2c 100644
> --- a/policy/modules/admin/netutils.te
> +++ b/policy/modules/admin/netutils.te
> @@ -110,7 +110,7 @@ allow ping_t self:capability { setuid net_raw };
>  allow ping_t self:process { getcap setcap };
>  dontaudit ping_t self:capability sys_tty_config;
>  allow ping_t self:tcp_socket create_socket_perms;
> -allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
> +allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt getattr };
>  allow ping_t self:packet_socket { create ioctl read write bind getopt setopt };
>  allow ping_t self:netlink_route_socket create_netlink_socket_perms;

Merged.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com


More information about the refpolicy mailing list