From 7ed91bfafdbd60111d3fc91294483edeb0522085 Mon Sep 17 00:00:00 2001
From: Sven Vermeulen <sven.vermeulen@siphos.be>
Date: Fri, 19 Oct 2012 20:51:25 +0200
Subject: [PATCH] Support flushing routing cache

To flush the routing cache, ifconfig_t (through the "ip" command) requires
sys_admin capability. If not:

~# ip route flush cache
Cannot flush routing cache

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/system/sysnetwork.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index d11e7c50b..b2bf76247 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -243,7 +243,7 @@ optional_policy(`
 # Ifconfig local policy
 #
 
-allow ifconfig_t self:capability { net_raw net_admin sys_tty_config };
+allow ifconfig_t self:capability { net_raw net_admin sys_admin sys_tty_config };
 allow ifconfig_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
 allow ifconfig_t self:fd use;
 allow ifconfig_t self:fifo_file rw_fifo_file_perms;