1 |
commit: d63fd441ccb0fd52cf45a82e0c23a11d052fb1da |
2 |
Author: Sven Vermeulen <swift <AT> gentoo <DOT> org> |
3 |
AuthorDate: Sat Oct 10 12:08:03 2015 +0000 |
4 |
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org> |
5 |
CommitDate: Wed Dec 2 15:45:15 2015 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d63fd441 |
7 |
|
8 |
Manage tun/tap interfaces |
9 |
|
10 |
We need the relabelfrom/relabelto rights, otherwise tun/tap interface |
11 |
activities fail: |
12 |
|
13 |
~# tunctl -d tap0 |
14 |
TUNSETIFF: Permission denied |
15 |
|
16 |
policy/modules/system/userdomain.if | 3 +++ |
17 |
1 file changed, 3 insertions(+) |
18 |
|
19 |
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if |
20 |
index ea03e86..c53daff 100644 |
21 |
--- a/policy/modules/system/userdomain.if |
22 |
+++ b/policy/modules/system/userdomain.if |
23 |
@@ -1254,6 +1254,9 @@ template(`userdom_admin_user_template',` |
24 |
seutil_relabelto_bin_policy($1_t) |
25 |
# allow to manage chr_files in user_tmp (for initrd's) |
26 |
userdom_manage_user_tmp_chr_files($1_t) |
27 |
+ # allow managing tun/tap interfaces (labeling) |
28 |
+ # without this operations such as tunctl -d tap0 result in a TUNSETIFF: Device or resource busy |
29 |
+ allow $1_t self:tun_socket { relabelfrom relabelto }; |
30 |
') |
31 |
') |