From 23ceab3f9b2741fc6712715b5b298c8d594ba326 Mon Sep 17 00:00:00 2001 From: Stephen Smalley <sds@tycho.nsa.gov> Date: Tue, 29 Oct 2013 14:42:38 -0400 Subject: [PATCH] Confine ping, but leave it permissive for now. Change-Id: I3fda2946271456dbe0905651c5015d9eb120a8ea Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> --- ping.te | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/ping.te b/ping.te index 37b9b3c36..9adf079b9 100644 --- a/ping.te +++ b/ping.te @@ -1,4 +1,13 @@ type ping, domain; +permissive ping; type ping_exec, exec_type, file_type; domain_auto_trans(shell, ping_exec, ping) -unconfined_domain(ping) + +allow ping self:capability net_raw; +allow ping self:rawip_socket create_socket_perms; +allow ping self:udp_socket create_socket_perms; +allow ping node:rawip_socket node_bind; +allow ping dnsproxyd_socket:sock_file write; +allow ping netd:unix_stream_socket connectto; +allow ping devpts:chr_file rw_file_perms; +allow ping shell:fd use; -- GitLab