commit: 6ba54515b29ca6073950bd24f269056663026673
Author: Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Sun Nov 11 12:37:00 2018 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Nov 18 10:56:47 2018 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6ba54515
Allow systemd_resolved_t to bind to port 53 and use net_raw
resolved also binds against port 53 on lo interface
Signed-off-by: Jason Zaman <jason <AT> perfinion.com>
policy/modules/system/systemd.te | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 2a658621..e70ccb21 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -864,7 +864,7 @@ optional_policy(`
# Resolved local policy
#
-allow systemd_resolved_t self:capability { chown setgid setpcap setuid };
+allow systemd_resolved_t self:capability { chown net_raw setgid setpcap setuid
};
allow systemd_resolved_t self:process { getcap setcap setfscreate signal };
allow systemd_resolved_t self:tcp_socket { accept listen };
@@ -881,8 +881,10 @@ kernel_read_kernel_sysctls(systemd_resolved_t)
kernel_read_net_sysctls(systemd_resolved_t)
corenet_tcp_bind_generic_node(systemd_resolved_t)
+corenet_tcp_bind_dns_port(systemd_resolved_t)
corenet_tcp_bind_llmnr_port(systemd_resolved_t)
corenet_udp_bind_generic_node(systemd_resolved_t)
+corenet_udp_bind_dns_port(systemd_resolved_t)
corenet_udp_bind_llmnr_port(systemd_resolved_t)
auth_use_nsswitch(systemd_resolved_t)
