aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLuis Ressel <aranea@aixah.de>2017-06-19 00:53:35 +0200
committerLuis Ressel <aranea@aixah.de>2017-09-09 00:09:59 +0200
commitd623c0a07020a7860cb27d5c3b86ed144032109a (patch)
treea2b8dc59172e18895980604ba0e7b06832f31795 /policy/modules/admin
parentnetutils: Add some permissions required by nmap to traceroute_t (diff)
downloadhardened-refpolicy-d623c0a07020a7860cb27d5c3b86ed144032109a.tar.gz
hardened-refpolicy-d623c0a07020a7860cb27d5c3b86ed144032109a.tar.bz2
hardened-refpolicy-d623c0a07020a7860cb27d5c3b86ed144032109a.zip
netutils: Allow tcpdump to reduce its capability bounding set
Diffstat (limited to 'policy/modules/admin')
-rw-r--r--policy/modules/admin/netutils.te4
1 files changed, 2 insertions, 2 deletions
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index d33074653..45a6b11ac 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -33,9 +33,9 @@ init_system_domain(traceroute_t, traceroute_exec_t)
#
# Perform network administration operations and have raw access to the network.
-allow netutils_t self:capability { dac_read_search net_admin net_raw setgid setuid sys_chroot };
+allow netutils_t self:capability { dac_read_search net_admin net_raw setgid setpcap setuid sys_chroot };
dontaudit netutils_t self:capability { dac_override sys_tty_config };
-allow netutils_t self:process { setcap signal_perms };
+allow netutils_t self:process { getcap setcap signal_perms };
allow netutils_t self:netlink_route_socket create_netlink_socket_perms;
allow netutils_t self:netlink_socket create_socket_perms;
# For tcpdump.