From 23ceab3f9b2741fc6712715b5b298c8d594ba326 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Tue, 29 Oct 2013 14:42:38 -0400
Subject: [PATCH] Confine ping, but leave it permissive for now.

Change-Id: I3fda2946271456dbe0905651c5015d9eb120a8ea
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 ping.te | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/ping.te b/ping.te
index 37b9b3c36..9adf079b9 100644
--- a/ping.te
+++ b/ping.te
@@ -1,4 +1,13 @@
 type ping, domain;
+permissive ping;
 type ping_exec, exec_type, file_type;
 domain_auto_trans(shell, ping_exec, ping)
-unconfined_domain(ping)
+
+allow ping self:capability net_raw;
+allow ping self:rawip_socket create_socket_perms;
+allow ping self:udp_socket create_socket_perms;
+allow ping node:rawip_socket node_bind;
+allow ping dnsproxyd_socket:sock_file write;
+allow ping netd:unix_stream_socket connectto;
+allow ping devpts:chr_file rw_file_perms;
+allow ping shell:fd use;
-- 
GitLab