mirror of
https://github.com/flatcar/scripts.git
synced 2025-08-17 01:46:58 +02:00
sec-policy/selinux-base: Add patch for ping
The patch adds stuff that another patch in sec-policy/selinux-base-policy will use to allow user to call "ping -I <IPADDRESS>". Patch based on: https://github.com/fedora-selinux/selinux-policy/pull/403
This commit is contained in:
parent
42451654bf
commit
6f3975b9b1
40
sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/icmp-bind.patch
vendored
Normal file
40
sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/icmp-bind.patch
vendored
Normal file
@ -0,0 +1,40 @@
|
||||
diff -u -r refpolicy/policy/modules/kernel/corenetwork.if.in refpolicy2/policy/modules/kernel/corenetwork.if.in
|
||||
--- refpolicy/policy/modules/kernel/corenetwork.if.in 2022-01-12 16:59:47.572670384 -0000
|
||||
+++ refpolicy2/policy/modules/kernel/corenetwork.if.in 2022-01-12 17:01:54.974858982 -0000
|
||||
@@ -879,6 +879,24 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
+## Bind ICMP sockets to generic nodes.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`corenet_icmp_bind_generic_node',`
|
||||
+ gen_require(`
|
||||
+ type node_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 node_t:icmp_socket node_bind;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
## Bind TCP sockets to generic nodes.
|
||||
## </summary>
|
||||
## <desc>
|
||||
diff -u -r refpolicy/policy/modules/kernel/corenetwork.te.in refpolicy2/policy/modules/kernel/corenetwork.te.in
|
||||
--- refpolicy/policy/modules/kernel/corenetwork.te.in 2022-01-12 16:59:47.573670362 -0000
|
||||
+++ refpolicy2/policy/modules/kernel/corenetwork.te.in 2022-01-12 17:03:12.754142616 -0000
|
||||
@@ -373,7 +373,7 @@
|
||||
|
||||
# Bind to any network address.
|
||||
allow corenet_unconfined_type port_type:{ tcp_socket udp_socket rawip_socket sctp_socket } name_bind;
|
||||
-allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket sctp_socket } node_bind;
|
||||
+allow corenet_unconfined_type node_type:{ icmp_socket tcp_socket udp_socket rawip_socket sctp_socket } node_bind;
|
||||
|
||||
# Infiniband
|
||||
corenet_ib_access_all_pkeys(corenet_unconfined_type)
|
@ -43,6 +43,7 @@ BDEPEND="sys-devel/m4
|
||||
PATCHES=(
|
||||
"${FILESDIR}"/0001-policy-modules-kernel-all-more-actions-for-kernel.patch
|
||||
"${FILESDIR}"/0001-policy-ms-MCS-restricts-relabelfrom.patch
|
||||
"${FILESDIR}"/icmp-bind.patch
|
||||
)
|
||||
|
||||
S=${WORKDIR}/
|
||||
|
Loading…
Reference in New Issue
Block a user