1 |
commit: 6ba54515b29ca6073950bd24f269056663026673 |
2 |
Author: Laurent Bigonville <bigon <AT> bigon <DOT> be> |
3 |
AuthorDate: Sun Nov 11 12:37:00 2018 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Sun Nov 18 10:56:47 2018 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6ba54515 |
7 |
|
8 |
Allow systemd_resolved_t to bind to port 53 and use net_raw |
9 |
|
10 |
resolved also binds against port 53 on lo interface |
11 |
|
12 |
Signed-off-by: Jason Zaman <jason <AT> perfinion.com> |
13 |
|
14 |
policy/modules/system/systemd.te | 4 +++- |
15 |
1 file changed, 3 insertions(+), 1 deletion(-) |
16 |
|
17 |
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te |
18 |
index 2a658621..e70ccb21 100644 |
19 |
--- a/policy/modules/system/systemd.te |
20 |
+++ b/policy/modules/system/systemd.te |
21 |
@@ -864,7 +864,7 @@ optional_policy(` |
22 |
# Resolved local policy |
23 |
# |
24 |
|
25 |
-allow systemd_resolved_t self:capability { chown setgid setpcap setuid }; |
26 |
+allow systemd_resolved_t self:capability { chown net_raw setgid setpcap setuid }; |
27 |
allow systemd_resolved_t self:process { getcap setcap setfscreate signal }; |
28 |
|
29 |
allow systemd_resolved_t self:tcp_socket { accept listen }; |
30 |
@@ -881,8 +881,10 @@ kernel_read_kernel_sysctls(systemd_resolved_t) |
31 |
kernel_read_net_sysctls(systemd_resolved_t) |
32 |
|
33 |
corenet_tcp_bind_generic_node(systemd_resolved_t) |
34 |
+corenet_tcp_bind_dns_port(systemd_resolved_t) |
35 |
corenet_tcp_bind_llmnr_port(systemd_resolved_t) |
36 |
corenet_udp_bind_generic_node(systemd_resolved_t) |
37 |
+corenet_udp_bind_dns_port(systemd_resolved_t) |
38 |
corenet_udp_bind_llmnr_port(systemd_resolved_t) |
39 |
|
40 |
auth_use_nsswitch(systemd_resolved_t) |