[yocto] [meta-selinux][PATCH 1/1] refpolicy: Allow ping to get/set capabilities

Mon, 27 Jan 2014 23:55:48 -0800 

From: Wenzong Fan <wenzong....@windriver.com>

When ping is installed with capabilities instead of being marked setuid,
then the ping_t domain needs to be allowed to getcap/setcap.

Signed-off-by: Wenzong Fan <wenzong....@windriver.com>
---
 .../Allow-ping-to-get-set-capabilities.patch       |   32 ++++++++++++++++++++
 .../refpolicy/refpolicy_2.20130424.inc             |    4 +++
 2 files changed, 36 insertions(+)
 create mode 100644 
recipes-security/refpolicy/refpolicy-2.20130424/Allow-ping-to-get-set-capabilities.patch

diff --git 
a/recipes-security/refpolicy/refpolicy-2.20130424/Allow-ping-to-get-set-capabilities.patch
 
b/recipes-security/refpolicy/refpolicy-2.20130424/Allow-ping-to-get-set-capabilities.patch
new file mode 100644
index 0000000..fced84a
--- /dev/null
+++ 
b/recipes-security/refpolicy/refpolicy-2.20130424/Allow-ping-to-get-set-capabilities.patch
@@ -0,0 +1,32 @@
+From 56c43144d7dcf5fec969c9aa9cb97679ccad50cc Mon Sep 17 00:00:00 2001
+From: Sven Vermeulen <sven.vermeu...@siphos.be>
+Date: Wed, 25 Sep 2013 20:27:34 +0200
+Subject: [PATCH] Allow ping to get/set capabilities
+
+When ping is installed with capabilities instead of being marked setuid,
+then the ping_t domain needs to be allowed to getcap/setcap.
+
+Reported-by: Luis Ressel <ara...@aixah.de>
+Signed-off-by: Sven Vermeulen <sven.vermeu...@siphos.be>
+
+Upstream-Status: backport
+---
+ policy/modules/admin/netutils.te |    2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/policy/modules/admin/netutils.te 
b/policy/modules/admin/netutils.te
+index 557da97..cfe036a 100644
+--- a/policy/modules/admin/netutils.te
++++ b/policy/modules/admin/netutils.te
+@@ -106,6 +106,8 @@ optional_policy(`
+ #
+ 
+ allow ping_t self:capability { setuid net_raw };
++# When ping is installed with capabilities instead of setuid
++allow ping_t self:process { getcap setcap };
+ dontaudit ping_t self:capability sys_tty_config;
+ allow ping_t self:tcp_socket create_socket_perms;
+ allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
+-- 
+1.7.10.4
+
diff --git a/recipes-security/refpolicy/refpolicy_2.20130424.inc 
b/recipes-security/refpolicy/refpolicy_2.20130424.inc
index cb1dec6..4b618b2 100644
--- a/recipes-security/refpolicy/refpolicy_2.20130424.inc
+++ b/recipes-security/refpolicy/refpolicy_2.20130424.inc
@@ -52,4 +52,8 @@ SRC_URI += 
"file://poky-policy-fix-xconsole_device_t-as-a-dev_node.patch \
             file://poky-policy-fix-dmesg-to-use-dev-kmsg.patch \
            "
 
+# Backport from upstream
+SRC_URI += "file://Allow-ping-to-get-set-capabilities.patch \
+           "
+
 include refpolicy_common.inc
-- 
1.7.9.5

_______________________________________________
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

Reply via email to