[icecream] selinux: allow the scheduler to read state via netlink route sockets
Michal Schmidt
michich at fedoraproject.org
Thu Nov 27 17:18:52 UTC 2014
commit 577fbad8a6af636527f7d278b729702a65dfdb3d
Author: Michal Schmidt <mschmidt at redhat.com>
Date: Thu Nov 27 18:04:50 2014 +0100
selinux: allow the scheduler to read state via netlink route sockets
The scheduler uses getifaddrs() to determine where to send broadcasts
to. This needs read netlink socket access.
Fixes: rhbz#1162321
icecream.spec | 6 +++++-
icecream.te | 1 +
2 files changed, 6 insertions(+), 1 deletions(-)
---
diff --git a/icecream.spec b/icecream.spec
index c96adf8..cff70bb 100644
--- a/icecream.spec
+++ b/icecream.spec
@@ -4,7 +4,7 @@
Name: icecream
Version: 1.0.1
-Release: 8.20140822git%{?dist}
+Release: 9.20140822git%{?dist}
Summary: Distributed compiler
Group: Development/Tools
@@ -255,6 +255,10 @@ exit 0
%{_libdir}/pkgconfig/icecc.pc
%changelog
+* Thu Nov 27 2014 Michal Schmidt <mschmidt at redhat.com> - 1.0.1-9.20140822git
+- selinux: allow the scheduler to read state via netlink route sockets
+- Fixes: rhbz#1162321
+
* Fri Sep 05 2014 Michal Schmidt <mschmidt at redhat.com> - 1.0.1-8.20140822git
- Update to current upstream git.
- Drops bundled minilzo, use system lzo library. (#1131794, CVE-2014-4607)
diff --git a/icecream.te b/icecream.te
index e6e5487..97ba564 100644
--- a/icecream.te
+++ b/icecream.te
@@ -187,6 +187,7 @@ fs_getattr_all_fs(iceccd_untrusted_t)
allow icecc_scheduler_t self:tcp_socket create_stream_socket_perms;
allow icecc_scheduler_t self:udp_socket create_socket_perms;
+allow icecc_scheduler_t self:netlink_route_socket r_netlink_socket_perms;
corenet_all_recvfrom_unlabeled(icecc_scheduler_t)
corenet_all_recvfrom_netlabel(icecc_scheduler_t)
More information about the scm-commits
mailing list