| 1 |
commit: 6ba54515b29ca6073950bd24f269056663026673 |
| 2 |
Author: Laurent Bigonville <bigon <AT> bigon <DOT> be> |
| 3 |
AuthorDate: Sun Nov 11 12:37:00 2018 +0000 |
| 4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
| 5 |
CommitDate: Sun Nov 18 10:56:47 2018 +0000 |
| 6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6ba54515 |
| 7 |
|
| 8 |
Allow systemd_resolved_t to bind to port 53 and use net_raw |
| 9 |
|
| 10 |
resolved also binds against port 53 on lo interface |
| 11 |
|
| 12 |
Signed-off-by: Jason Zaman <jason <AT> perfinion.com> |
| 13 |
|
| 14 |
policy/modules/system/systemd.te | 4 +++- |
| 15 |
1 file changed, 3 insertions(+), 1 deletion(-) |
| 16 |
|
| 17 |
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te |
| 18 |
index 2a658621..e70ccb21 100644 |
| 19 |
--- a/policy/modules/system/systemd.te |
| 20 |
+++ b/policy/modules/system/systemd.te |
| 21 |
@@ -864,7 +864,7 @@ optional_policy(` |
| 22 |
# Resolved local policy |
| 23 |
# |
| 24 |
|
| 25 |
-allow systemd_resolved_t self:capability { chown setgid setpcap setuid }; |
| 26 |
+allow systemd_resolved_t self:capability { chown net_raw setgid setpcap setuid }; |
| 27 |
allow systemd_resolved_t self:process { getcap setcap setfscreate signal }; |
| 28 |
|
| 29 |
allow systemd_resolved_t self:tcp_socket { accept listen }; |
| 30 |
@@ -881,8 +881,10 @@ kernel_read_kernel_sysctls(systemd_resolved_t) |
| 31 |
kernel_read_net_sysctls(systemd_resolved_t) |
| 32 |
|
| 33 |
corenet_tcp_bind_generic_node(systemd_resolved_t) |
| 34 |
+corenet_tcp_bind_dns_port(systemd_resolved_t) |
| 35 |
corenet_tcp_bind_llmnr_port(systemd_resolved_t) |
| 36 |
corenet_udp_bind_generic_node(systemd_resolved_t) |
| 37 |
+corenet_udp_bind_dns_port(systemd_resolved_t) |
| 38 |
corenet_udp_bind_llmnr_port(systemd_resolved_t) |
| 39 |
|
| 40 |
auth_use_nsswitch(systemd_resolved_t) |
Archives