| 1 |
commit: 04768f431e51e63fe01b5c93fd639d54feb29380 |
| 2 |
Author: Sven Vermeulen <swift <AT> gentoo <DOT> org> |
| 3 |
AuthorDate: Sat Oct 10 12:08:03 2015 +0000 |
| 4 |
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org> |
| 5 |
CommitDate: Sun Jul 3 11:33:57 2016 +0000 |
| 6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=04768f43 |
| 7 |
|
| 8 |
Manage tun/tap interfaces |
| 9 |
|
| 10 |
We need the relabelfrom/relabelto rights, otherwise tun/tap interface |
| 11 |
activities fail: |
| 12 |
|
| 13 |
~# tunctl -d tap0 |
| 14 |
TUNSETIFF: Permission denied |
| 15 |
|
| 16 |
policy/modules/system/userdomain.if | 3 +++ |
| 17 |
1 file changed, 3 insertions(+) |
| 18 |
|
| 19 |
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if |
| 20 |
index b04d149..e085cff 100644 |
| 21 |
--- a/policy/modules/system/userdomain.if |
| 22 |
+++ b/policy/modules/system/userdomain.if |
| 23 |
@@ -1259,6 +1259,9 @@ template(`userdom_admin_user_template',` |
| 24 |
seutil_relabelto_bin_policy($1_t) |
| 25 |
# allow to manage chr_files in user_tmp (for initrd's) |
| 26 |
userdom_manage_user_tmp_chr_files($1_t) |
| 27 |
+ # allow managing tun/tap interfaces (labeling) |
| 28 |
+ # without this operations such as tunctl -d tap0 result in a TUNSETIFF: Device or resource busy |
| 29 |
+ allow $1_t self:tun_socket { relabelfrom relabelto }; |
| 30 |
') |
| 31 |
') |
Archives