summaryrefslogtreecommitdiff
path: root/sysconf
diff options
context:
space:
mode:
authorStephen Hemminger <stephen.hemminger@vyatta.com>2010-05-25 08:56:10 -0700
committerStephen Hemminger <stephen.hemminger@vyatta.com>2010-06-04 14:09:51 -0700
commit379c2618cfbc337625f809f63fd4cb22793eccf8 (patch)
tree752cb940ec834c316d8f5f71513734e0b4f485a3 /sysconf
parent67151d699de7c046c9bd557bbadc5fe12950228e (diff)
downloadvyatta-cfg-system-379c2618cfbc337625f809f63fd4cb22793eccf8.tar.gz
vyatta-cfg-system-379c2618cfbc337625f809f63fd4cb22793eccf8.zip
Set file capability attributes
This sets file capability attributes during package installation (and build) to allow better security models.
Diffstat (limited to 'sysconf')
-rw-r--r--sysconf/filecaps31
1 files changed, 31 insertions, 0 deletions
diff --git a/sysconf/filecaps b/sysconf/filecaps
new file mode 100644
index 00000000..80730334
--- /dev/null
+++ b/sysconf/filecaps
@@ -0,0 +1,31 @@
+# List of files that get special attribute labeling
+
+# Network related utilities
+cap_net_admin=pe /usr/sbin/ethtool
+cap_net_admin=pe /sbin/tc
+cap_net_admin=pe /bin/ip
+cap_net_admin=pe /sbin/iptables
+cap_net_admin=pe /sbin/ip6tables
+cap_net_admin=pe /sbin/ipset
+cap_net_admin=pe /usr/sbin/conntrack
+cap_net_admin=pe /usr/sbin/arp
+cap_net_admin=pe /usr/sbin/brctl
+
+# Raw sockets
+cap_net_raw=pe /usr/bin/tshark
+cap_net_raw=pe /usr/sbin/tcpdump
+cap_net_raw=pe /bin/ping
+cap_net_raw=pe /bin/ping6
+
+# Special case to allow command login
+cap_audit_write=pe /bin/vbash
+
+# Allow changes to system settings
+cap_sys_admin=pe /sbin/sysctl
+
+# Module install
+cap_sys_module=pe /sbin/modprobe
+
+# Set time
+cap_sys_time=pe /bin/date
+cap_sys_time=pe /usr/sbin/ntpdate