RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Grant ping_t getattr on rawip_socket 

If the (sadly nearly undocumented) Linux kernel feature which allows
specific user groups to send ICMP echos without CAP_NET_RAW
(configurable with the sysctl net.ipv4.ping_group_range, available since
3.0) is used, ping needs the getattr permission of the rawip_socket
class in order to work.
This commit is contained in:
Luis Ressel 2014-06-26 23:22:07 +02:00 committed by Chris PeBenito
parent b383c8075e
commit 792b75b70e
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
policy/modules/admin/netutils.te
View File

@ -110,7 +110,7 @@ allow ping_t self:capability { setuid net_raw };
allow ping_t self:process { getcap setcap };
dontaudit ping_t self:capability sys_tty_config;
allow ping_t self:tcp_socket create_socket_perms;
allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt getattr };
allow ping_t self:packet_socket { create ioctl read write bind getopt setopt };
allow ping_t self:netlink_route_socket create_netlink_socket_perms;