Allow ping to get/set capabilities

When ping is installed with capabilities instead of being marked setuid,
then the ping_t domain needs to be allowed to getcap/setcap.

Reported-by: Luis Ressel <aranea@aixah.de>
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
This commit is contained in:
Sven Vermeulen 2013-09-25 20:27:34 +02:00 committed by Chris PeBenito
parent 7aed0fd9dd
commit 56c43144d7
1 changed files with 2 additions and 0 deletions

View File

@ -106,6 +106,8 @@ optional_policy(`
# #
allow ping_t self:capability { setuid net_raw }; allow ping_t self:capability { setuid net_raw };
# When ping is installed with capabilities instead of setuid
allow ping_t self:process { getcap setcap };
dontaudit ping_t self:capability sys_tty_config; dontaudit ping_t self:capability sys_tty_config;
allow ping_t self:tcp_socket create_socket_perms; allow ping_t self:tcp_socket create_socket_perms;
allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt }; allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };