[yocto] [meta-selinux][PATCH 1/1] refpolicy: Allow ping to get/set capabilities
wenzong.fan at windriver.com
wenzong.fan at windriver.com
Mon Jan 27 23:54:29 PST 2014
From: Wenzong Fan <wenzong.fan at windriver.com>
When ping is installed with capabilities instead of being marked setuid,
then the ping_t domain needs to be allowed to getcap/setcap.
Signed-off-by: Wenzong Fan <wenzong.fan at windriver.com>
---
.../Allow-ping-to-get-set-capabilities.patch | 32 ++++++++++++++++++++
.../refpolicy/refpolicy_2.20130424.inc | 4 +++
2 files changed, 36 insertions(+)
create mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/Allow-ping-to-get-set-capabilities.patch
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/Allow-ping-to-get-set-capabilities.patch b/recipes-security/refpolicy/refpolicy-2.20130424/Allow-ping-to-get-set-capabilities.patch
new file mode 100644
index 0000000..fced84a
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20130424/Allow-ping-to-get-set-capabilities.patch
@@ -0,0 +1,32 @@
+From 56c43144d7dcf5fec969c9aa9cb97679ccad50cc Mon Sep 17 00:00:00 2001
+From: Sven Vermeulen <sven.vermeulen at siphos.be>
+Date: Wed, 25 Sep 2013 20:27:34 +0200
+Subject: [PATCH] Allow ping to get/set capabilities
+
+When ping is installed with capabilities instead of being marked setuid,
+then the ping_t domain needs to be allowed to getcap/setcap.
+
+Reported-by: Luis Ressel <aranea at aixah.de>
+Signed-off-by: Sven Vermeulen <sven.vermeulen at siphos.be>
+
+Upstream-Status: backport
+---
+ policy/modules/admin/netutils.te | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
+index 557da97..cfe036a 100644
+--- a/policy/modules/admin/netutils.te
++++ b/policy/modules/admin/netutils.te
+@@ -106,6 +106,8 @@ optional_policy(`
+ #
+
+ allow ping_t self:capability { setuid net_raw };
++# When ping is installed with capabilities instead of setuid
++allow ping_t self:process { getcap setcap };
+ dontaudit ping_t self:capability sys_tty_config;
+ allow ping_t self:tcp_socket create_socket_perms;
+ allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
+--
+1.7.10.4
+
diff --git a/recipes-security/refpolicy/refpolicy_2.20130424.inc b/recipes-security/refpolicy/refpolicy_2.20130424.inc
index cb1dec6..4b618b2 100644
--- a/recipes-security/refpolicy/refpolicy_2.20130424.inc
+++ b/recipes-security/refpolicy/refpolicy_2.20130424.inc
@@ -52,4 +52,8 @@ SRC_URI += "file://poky-policy-fix-xconsole_device_t-as-a-dev_node.patch \
file://poky-policy-fix-dmesg-to-use-dev-kmsg.patch \
"
+# Backport from upstream
+SRC_URI += "file://Allow-ping-to-get-set-capabilities.patch \
+ "
+
include refpolicy_common.inc
--
1.7.9.5
More information about the yocto
mailing list