diff options
author | Anthony G. Basile <blueness@gentoo.org> | 2011-03-07 03:00:43 +0000 |
---|---|---|
committer | Anthony G. Basile <blueness@gentoo.org> | 2011-03-07 03:00:43 +0000 |
commit | b223f8e05769384567e0b24ca68b2ca9188c3aa5 (patch) | |
tree | 6697c4bfc8bdc2a531d5aa96d3cd5369aced3120 /sec-policy/selinux-wireshark | |
parent | Revert use of sudo_db_t and use pam_var_run_t as suggested by upstream (diff) | |
download | gentoo-2-b223f8e05769384567e0b24ca68b2ca9188c3aa5.tar.gz gentoo-2-b223f8e05769384567e0b24ca68b2ca9188c3aa5.tar.bz2 gentoo-2-b223f8e05769384567e0b24ca68b2ca9188c3aa5.zip |
Allow wireshark to execute files in the users' home directory (needed for libffi/python)
(Portage version: 2.1.9.25/cvs/Linux x86_64)
Diffstat (limited to 'sec-policy/selinux-wireshark')
3 files changed, 84 insertions, 1 deletions
diff --git a/sec-policy/selinux-wireshark/ChangeLog b/sec-policy/selinux-wireshark/ChangeLog index 57f0ed637ca7..94059ee45a82 100644 --- a/sec-policy/selinux-wireshark/ChangeLog +++ b/sec-policy/selinux-wireshark/ChangeLog @@ -1,6 +1,14 @@ # ChangeLog for sec-policy/selinux-wireshark # Copyright 1999-2011 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/sec-policy/selinux-wireshark/ChangeLog,v 1.9 2011/02/05 12:07:15 blueness Exp $ +# $Header: /var/cvsroot/gentoo-x86/sec-policy/selinux-wireshark/ChangeLog,v 1.10 2011/03/07 03:00:43 blueness Exp $ + +*selinux-wireshark-2.20101213-r1 (07 Mar 2011) + + 07 Mar 2011; Anthony G. Basile <blueness@gentoo.org> + +files/fix-apps-wireshark-r1.patch, + +selinux-wireshark-2.20101213-r1.ebuild: + Allow wireshark to execute files in the users' home directory (needed for + libffi/python) *selinux-wireshark-2.20101213 (05 Feb 2011) diff --git a/sec-policy/selinux-wireshark/files/fix-apps-wireshark-r1.patch b/sec-policy/selinux-wireshark/files/fix-apps-wireshark-r1.patch new file mode 100644 index 000000000000..291a77c7a179 --- /dev/null +++ b/sec-policy/selinux-wireshark/files/fix-apps-wireshark-r1.patch @@ -0,0 +1,61 @@ +--- apps/wireshark.te 2010-12-13 15:11:01.000000000 +0100 ++++ apps/wireshark.te 2011-02-10 22:07:27.561999998 +0100 +@@ -35,18 +35,20 @@ + # + + allow wireshark_t self:capability { net_admin net_raw setgid }; +-allow wireshark_t self:process { signal getsched }; ++allow wireshark_t self:process { signal getsched setcap }; + allow wireshark_t self:fifo_file { getattr read write }; + allow wireshark_t self:shm destroy; + allow wireshark_t self:shm create_shm_perms; + allow wireshark_t self:netlink_route_socket { nlmsg_read create_socket_perms }; +-allow wireshark_t self:packet_socket { setopt bind ioctl getopt create read }; ++allow wireshark_t self:packet_socket { setopt bind ioctl getopt create read write }; + allow wireshark_t self:tcp_socket create_socket_perms; + allow wireshark_t self:udp_socket create_socket_perms; + + # Re-execute itself (why?) + can_exec(wireshark_t, wireshark_exec_t) + corecmd_search_bin(wireshark_t) ++corecmd_exec_bin(wireshark_t) ++corecmd_exec_shell(wireshark_t) + + # /home/.wireshark + manage_dirs_pattern(wireshark_t, wireshark_home_t, wireshark_home_t) +@@ -70,12 +72,17 @@ + kernel_read_system_state(wireshark_t) + kernel_read_sysctl(wireshark_t) + ++selinux_getattr_fs(wireshark_t) ++ + corecmd_search_bin(wireshark_t) + + corenet_tcp_connect_generic_port(wireshark_t) + corenet_tcp_sendrecv_generic_if(wireshark_t) + ++dev_read_sysfs(wireshark_t) + dev_read_urand(wireshark_t) ++dev_read_rand(wireshark_t) ++dev_search_sysfs(wireshark_t) + + files_read_etc_files(wireshark_t) + files_read_usr_files(wireshark_t) +@@ -92,7 +99,10 @@ + + sysnet_read_config(wireshark_t) + ++userdom_exec_user_home_content_files(wireshark_t) ++userdom_user_home_dir_filetrans_user_home_content(wireshark_t, { file lnk_file fifo_file sock_file }) + userdom_manage_user_home_content_files(wireshark_t) ++userdom_use_user_terminals(wireshark_t) + + tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(wireshark_t) +--- apps/wireshark.fc 2010-08-03 15:11:04.000000000 +0200 ++++ apps/wireshark.fc 2011-02-08 21:31:40.547999979 +0100 +@@ -1,3 +1,3 @@ + HOME_DIR/\.wireshark(/.*)? gen_context(system_u:object_r:wireshark_home_t,s0) +- ++HOME_DIR/ffi(.*) -- gen_context(system_u:object_r:wireshark_home_exec_t,s0) + /usr/bin/wireshark -- gen_context(system_u:object_r:wireshark_exec_t,s0) diff --git a/sec-policy/selinux-wireshark/selinux-wireshark-2.20101213-r1.ebuild b/sec-policy/selinux-wireshark/selinux-wireshark-2.20101213-r1.ebuild new file mode 100644 index 000000000000..c4bfd57addc0 --- /dev/null +++ b/sec-policy/selinux-wireshark/selinux-wireshark-2.20101213-r1.ebuild @@ -0,0 +1,14 @@ +# Copyright 1999-2011 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/sec-policy/selinux-wireshark/selinux-wireshark-2.20101213-r1.ebuild,v 1.1 2011/03/07 03:00:43 blueness Exp $ + +MODS="wireshark" +IUSE="" + +inherit selinux-policy-2 + +DESCRIPTION="SELinux policy for wireshark" + +KEYWORDS="~amd64 ~x86" + +POLICY_PATCH="${FILESDIR}/fix-apps-wireshark-r1.patch" |