Merge "Remove fsetid from netd."

commit: d107abd1ba4758db1f6d3c427ba69382007b31ff [log] [tgz]
author: Nick Kralevich <nnk@google.com> Tue Feb 25 15:40:59 2014 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Tue Feb 25 15:40:59 2014 +0000
tree: 6480b2b7ed16ea7fb921cbcf7f95105940b16e7d
parent: 798668f32fccb5ff49753c15a8b742eb43ddfa7e [diff]
parent: d581b812d61ea5ee6a267afe9ae28c0808fc8aa4 [diff]
diff --git a/netd.te b/netd.te
index f8c9ffb..fb54bde 100644
--- a/netd.te
+++ b/netd.te

@@ -5,7 +5,16 @@
 init_daemon_domain(netd)
 net_domain(netd)
 
-allow netd self:capability { net_admin net_raw kill fsetid };
+allow netd self:capability { net_admin net_raw kill };
+# Note: fsetid is deliberately not included above. fsetid checks are
+# triggered by chmod on a directory or file owned by a group other
+# than one of the groups assigned to the current process to see if
+# the setgid bit should be cleared, regardless of whether the setgid
+# bit was even set.  We do not appear to truly need this capability
+# for netd to operate.  Uncomment the dontaudit rule below after
+# sufficient testing of the fsetid removal.
+# dontaudit netd self:capability fsetid;
+
 allow netd self:netlink_kobject_uevent_socket *;
 allow netd self:netlink_route_socket *;
 allow netd self:netlink_nflog_socket *;
commit	d107abd1ba4758db1f6d3c427ba69382007b31ff	[log] [tgz]
author	Nick Kralevich <nnk@google.com>	Tue Feb 25 15:40:59 2014 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Tue Feb 25 15:40:59 2014 +0000
tree	6480b2b7ed16ea7fb921cbcf7f95105940b16e7d
parent	798668f32fccb5ff49753c15a8b742eb43ddfa7e [diff]
parent	d581b812d61ea5ee6a267afe9ae28c0808fc8aa4 [diff]