[refpolicy] [patch 1/1] netutils: make ping working for confined users

[refpolicy] [patch 1/1] netutils: make ping working for confined users

[Miroslav Grepl]

http://mgrepl.fedorapeople.org/F15/admin_netutils.patch

     * ping did not work for confined users which is fixed by these changes
     * allow netutils to read network state information and request the 
kernel to load a module

[refpolicy] [patch 1/1] netutils: make ping working for confined users

[Guido Trentalancia]

Hello Miroslav !

On Fri, 18/02/2011 at 16.01 +0000, Miroslav Grepl wrote:
> http://mgrepl.fedorapeople.org/F15/admin_netutils.patch
> 
>      * ping did not work for confined users which is fixed by these changes
>      * allow netutils to read network state information and request the 
> kernel to load a module

I have tested ping and traceroute from:

http://www.skbuff.net/iputils/iputils-s20101006.tar.bz2

and they appear to be working fine for confined users with the latest
reference policy (provided that ping is setuid root, which is needed for
opening a raw socket).

Also, I do not suggest that you move files_read_usr_files(traceroute_t)
 further up and away from its "nmap-commented" block. For example, I got
immediately confused, I went looking into traceroute source code and
couldn't find anything that it needs to do with usr files... What would
be very nice there is a boolean for the whole nmap-related block.

Is this series of messages just an acknowledgement of what is being done
on Fedora 15 ? I suppose it is so, as dev_write_usbmon_dev() does not
make sense in refpolicy.

Regards,

Guido