From 379c2618cfbc337625f809f63fd4cb22793eccf8 Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Tue, 25 May 2010 08:56:10 -0700 Subject: Set file capability attributes This sets file capability attributes during package installation (and build) to allow better security models. --- sysconf/filecaps | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 sysconf/filecaps (limited to 'sysconf') diff --git a/sysconf/filecaps b/sysconf/filecaps new file mode 100644 index 00000000..80730334 --- /dev/null +++ b/sysconf/filecaps @@ -0,0 +1,31 @@ +# List of files that get special attribute labeling + +# Network related utilities +cap_net_admin=pe /usr/sbin/ethtool +cap_net_admin=pe /sbin/tc +cap_net_admin=pe /bin/ip +cap_net_admin=pe /sbin/iptables +cap_net_admin=pe /sbin/ip6tables +cap_net_admin=pe /sbin/ipset +cap_net_admin=pe /usr/sbin/conntrack +cap_net_admin=pe /usr/sbin/arp +cap_net_admin=pe /usr/sbin/brctl + +# Raw sockets +cap_net_raw=pe /usr/bin/tshark +cap_net_raw=pe /usr/sbin/tcpdump +cap_net_raw=pe /bin/ping +cap_net_raw=pe /bin/ping6 + +# Special case to allow command login +cap_audit_write=pe /bin/vbash + +# Allow changes to system settings +cap_sys_admin=pe /sbin/sysctl + +# Module install +cap_sys_module=pe /sbin/modprobe + +# Set time +cap_sys_time=pe /bin/date +cap_sys_time=pe /usr/sbin/ntpdate -- cgit v1.2.3