summaryrefslogtreecommitdiff
path: root/sysconf
diff options
context:
space:
mode:
Diffstat (limited to 'sysconf')
-rw-r--r--sysconf/capability.conf10
-rw-r--r--sysconf/filecaps26
2 files changed, 36 insertions, 0 deletions
diff --git a/sysconf/capability.conf b/sysconf/capability.conf
new file mode 100644
index 00000000..0a7235f1
--- /dev/null
+++ b/sysconf/capability.conf
@@ -0,0 +1,10 @@
+# this is a capability file (used in conjunction with the pam_cap.so module)
+
+# Special capability for Vyatta admin
+all %vyattacfg
+
+# Vyatta Operator
+cap_net_admin,cap_sys_boot,cap_audit_write %vyattaop
+
+## 'everyone else' gets no inheritable capabilities
+none *
diff --git a/sysconf/filecaps b/sysconf/filecaps
new file mode 100644
index 00000000..1e06c0e8
--- /dev/null
+++ b/sysconf/filecaps
@@ -0,0 +1,26 @@
+# List of files that get special attribute labeling
+
+# Network related utilities
+cap_net_admin=pe /usr/sbin/ethtool
+cap_net_admin=pe /sbin/tc
+cap_net_admin=pe /bin/ip
+cap_net_admin=pe /sbin/iptables
+cap_net_admin=pe /sbin/ip6tables
+cap_net_admin=pe/ /usr/sbin/ipset
+cap_net_admin=pe /usr/sbin/conntrack
+cap_net_admin=pe /usr/sbin/arp
+cap_net_admin=pe /usr/sbin/brctl
+
+# Raw sockets
+cap_net_raw=pe /usr/bin/tshark
+cap_net_raw=pe /usr/sbin/tcpdump
+
+# Allow changes to system settings
+cap_sys_admin=pe /sbin/sysctl
+
+# Module install
+cap_sys_module=pe /sbin/modprobe
+
+# Set time
+cap_sys_time=pe /bin/date
+cap_sys_time=pe /usr/sbin/ntpdate
generated by cgit v1.2.3 (git 2.39.1) at 2025-02-21 06:45:26 +0000