zygote requires setpcap in order to drop from its bounding set.

I8560fa5ad125bf31f0d13be513431697bc7d22bb changed the zygote to limit the bounding capability set to CAP_NET_RAW. This triggers a CAP_SETPCAP check by the kernel, which requires SELinux setpcap permission. Change-Id: Ib910d97dcf708273e2806e2824f4abe9fc239d6d Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

zygote requires setpcap in order to drop from its bounding set.
I8560fa5ad125bf31f0d13be513431697bc7d22bb changed the zygote to limit the bounding capability set to CAP_NET_RAW. This triggers a CAP_SETPCAP check by the kernel, which requires SELinux setpcap permission. Change-Id: Ib910d97dcf708273e2806e2824f4abe9fc239d6d Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
e468016b · Stephen Smalley · 58b0fb6d · e468016b
Commit e468016b authored 12 years ago by Stephen Smalley
--- a/zygote.te
+++ b/zygote.te
@@ -6,6 +6,8 @@ init_daemon_domain(zygote)
 typeattribute zygote mlstrustedsubject;
 # Override DAC on files and switch uid/gid.
 allow zygote self:capability { dac_override setgid setuid };
+# Drop capabilities from bounding set.
+allow zygote self:capability setpcap;
 # Switch SELinux context to app domains.
 allow zygote system:process dyntransition;
 allow zygote appdomain:process dyntransition;