Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLaurent Bigonville <bigon@bigon.be>2018-11-11 13:37:00 +0100
committerJason Zaman <jason@perfinion.com>2018-11-18 18:56:47 +0800
commit6ba54515b29ca6073950bd24f269056663026673 (patch)
tree10497e3e9ccf1b2dbf2b94baac19ddef70c72171
parentAllow sysnet_dns_name_resolve() to use resolved to resolve DNS names (diff)
downloadhardened-refpolicy-6ba54515b29ca6073950bd24f269056663026673.tar.gz
hardened-refpolicy-6ba54515b29ca6073950bd24f269056663026673.tar.bz2
hardened-refpolicy-6ba54515b29ca6073950bd24f269056663026673.zip
Allow systemd_resolved_t to bind to port 53 and use net_raw
resolved also binds against port 53 on lo interface Signed-off-by: Jason Zaman <jason@perfinion.com>
Diffstat
-rw-r--r--policy/modules/system/systemd.te4
1 files changed, 3 insertions, 1 deletions
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 2a658621d..e70ccb214 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -864,7 +864,7 @@ optional_policy(`
# Resolved local policy
#
-allow systemd_resolved_t self:capability { chown setgid setpcap setuid };
+allow systemd_resolved_t self:capability { chown net_raw setgid setpcap setuid };
allow systemd_resolved_t self:process { getcap setcap setfscreate signal };
allow systemd_resolved_t self:tcp_socket { accept listen };
@@ -881,8 +881,10 @@ kernel_read_kernel_sysctls(systemd_resolved_t)
kernel_read_net_sysctls(systemd_resolved_t)
corenet_tcp_bind_generic_node(systemd_resolved_t)
+corenet_tcp_bind_dns_port(systemd_resolved_t)
corenet_tcp_bind_llmnr_port(systemd_resolved_t)
corenet_udp_bind_generic_node(systemd_resolved_t)
+corenet_udp_bind_dns_port(systemd_resolved_t)
corenet_udp_bind_llmnr_port(systemd_resolved_t)
auth_use_nsswitch(systemd_resolved_t)