From e4f9c9f4f4c5af851410fde006f6589c0bf7f863 Mon Sep 17 00:00:00 2001
From: Patrik Koncity <pkoncity@redhat.com>
Date: Wed, 5 Aug 2020 17:26:20 +0200
Reference: https://github.com/fedora-selinux/selinux-policy/commit/e4f9c9f4f4c5af851410fde006f6589c0bf7f863
Conflict: NA
Subject: [PATCH] Allow unconfined_t to node_bind icmp_sockets in node_t domain

When uncofined user run ping or traceroute, this process get label unconfined_t.
Allow to ping or traceroute, which run as unconfined_t, to node_bind icmp_sockets in node_t domain.

Bugzila: https://bugzilla.redhat.com/show_bug.cgi?id=1848929#c0
---
 policy/modules/kernel/corenetwork.te.in | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index c317449..b718ab0 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -465,7 +465,7 @@ allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg };
 
 # Bind to any network address.
 allow corenet_unconfined_type port_type:{ dccp_socket tcp_socket udp_socket rawip_socket sctp_socket} name_bind;
-allow corenet_unconfined_type node_type:{ dccp_socket tcp_socket udp_socket rawip_socket sctp_socket } node_bind;
+allow corenet_unconfined_type node_type:{ dccp_socket icmp_socket tcp_socket udp_socket rawip_socket sctp_socket } node_bind;
 
 # Infiniband
 corenet_ib_access_all_pkeys(corenet_unconfined_type)
-- 
1.8.3.1