[gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/system/

Sven Vermeulen Sat, 10 Oct 2015 05:12:02 -0700

commit:     bb92924b4730deb3dbd1c0a9f2a763ff99cd06c5
Author:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
AuthorDate: Sat Oct 10 12:08:03 2015 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Oct 10 12:08:03 2015 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=bb92924b


Manage tun/tap interfaces

We need the relabelfrom/relabelto rights, otherwise tun/tap interface
activities fail:

~# tunctl -d tap0
TUNSETIFF: Permission denied

 policy/modules/system/userdomain.if | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/policy/modules/system/userdomain.if 
b/policy/modules/system/userdomain.if
index ea03e86..c53daff 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1254,6 +1254,9 @@ template(`userdom_admin_user_template',`
                seutil_relabelto_bin_policy($1_t)
                # allow to manage chr_files in user_tmp (for initrd's)
                userdom_manage_user_tmp_chr_files($1_t)
+               # allow managing tun/tap interfaces (labeling)
+               # without this operations such as tunctl -d tap0 result in a 
TUNSETIFF: Device or resource busy
+               allow $1_t self:tun_socket { relabelfrom relabelto };
        ')
 ')

[gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/system/

Reply via email to