2022-02-16 13:19:24

by Russell Coker

[permalink] [raw]
Subject: [PATCH] dontaudit net_admin without hide_broken_symptoms

Sending this patch again without the ifdef, I agree that the ifdef isn't very
useful nowadays.

Signed-off-by: Russell Coker <[email protected]>

Index: refpolicy-2.20220216/policy/modules/services/cron.te
===================================================================
--- refpolicy-2.20220216.orig/policy/modules/services/cron.te
+++ refpolicy-2.20220216/policy/modules/services/cron.te
@@ -172,6 +172,8 @@ tunable_policy(`fcron_crond',`
# Daemon local policy
#

+# for changing buffer sizes
+dontaudit crond_t self:capability net_admin;
allow crond_t self:capability { chown dac_override dac_read_search fowner setgid setuid sys_nice sys_resource };
dontaudit crond_t self:capability { sys_tty_config };

Index: refpolicy-2.20220216/policy/modules/services/dbus.te
===================================================================
--- refpolicy-2.20220216.orig/policy/modules/services/dbus.te
+++ refpolicy-2.20220216/policy/modules/services/dbus.te
@@ -67,6 +67,8 @@ ifdef(`enable_mls',`
# Local policy
#

+# for changing buffer sizes
+dontaudit system_dbusd_t self:capability net_admin;
allow system_dbusd_t self:capability { dac_override setgid setpcap setuid sys_resource };
dontaudit system_dbusd_t self:capability sys_tty_config;
allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap setrlimit };
Index: refpolicy-2.20220216/policy/modules/services/policykit.te
===================================================================
--- refpolicy-2.20220216.orig/policy/modules/services/policykit.te
+++ refpolicy-2.20220216/policy/modules/services/policykit.te
@@ -68,6 +68,8 @@ miscfiles_read_localization(policykit_do
# Local policy
#

+# for changing buffer sizes
+dontaudit policykit_t self:capability net_admin;
allow policykit_t self:capability { dac_override dac_read_search setgid setuid sys_nice sys_ptrace };
allow policykit_t self:process { getsched setsched signal };
allow policykit_t self:unix_stream_socket { accept connectto listen };
Index: refpolicy-2.20220216/policy/modules/services/postfix.te
===================================================================
--- refpolicy-2.20220216.orig/policy/modules/services/postfix.te
+++ refpolicy-2.20220216/policy/modules/services/postfix.te
@@ -107,6 +107,8 @@ mta_mailserver_delivery(postfix_virtual_
# Common postfix domain local policy
#

+# for changing buffer sizes
+dontaudit postfix_domain self:capability net_admin;
allow postfix_domain self:capability { sys_chroot sys_nice };
dontaudit postfix_domain self:capability sys_tty_config;
allow postfix_domain self:process { signal_perms setpgid setsched };


2022-02-16 18:08:34

by Chris PeBenito

[permalink] [raw]
Subject: Re: [PATCH] dontaudit net_admin without hide_broken_symptoms

On 2/16/22 08:07, Russell Coker wrote:
> Sending this patch again without the ifdef, I agree that the ifdef isn't very
> useful nowadays.
>
> Signed-off-by: Russell Coker <[email protected]>
>
> Index: refpolicy-2.20220216/policy/modules/services/cron.te
> ===================================================================
> --- refpolicy-2.20220216.orig/policy/modules/services/cron.te
> +++ refpolicy-2.20220216/policy/modules/services/cron.te
> @@ -172,6 +172,8 @@ tunable_policy(`fcron_crond',`
> # Daemon local policy
> #
>
> +# for changing buffer sizes
> +dontaudit crond_t self:capability net_admin;
> allow crond_t self:capability { chown dac_override dac_read_search fowner setgid setuid sys_nice sys_resource };
> dontaudit crond_t self:capability { sys_tty_config };
>
> Index: refpolicy-2.20220216/policy/modules/services/dbus.te
> ===================================================================
> --- refpolicy-2.20220216.orig/policy/modules/services/dbus.te
> +++ refpolicy-2.20220216/policy/modules/services/dbus.te
> @@ -67,6 +67,8 @@ ifdef(`enable_mls',`
> # Local policy
> #
>
> +# for changing buffer sizes
> +dontaudit system_dbusd_t self:capability net_admin;
> allow system_dbusd_t self:capability { dac_override setgid setpcap setuid sys_resource };
> dontaudit system_dbusd_t self:capability sys_tty_config;
> allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap setrlimit };
> Index: refpolicy-2.20220216/policy/modules/services/policykit.te
> ===================================================================
> --- refpolicy-2.20220216.orig/policy/modules/services/policykit.te
> +++ refpolicy-2.20220216/policy/modules/services/policykit.te
> @@ -68,6 +68,8 @@ miscfiles_read_localization(policykit_do
> # Local policy
> #
>
> +# for changing buffer sizes
> +dontaudit policykit_t self:capability net_admin;
> allow policykit_t self:capability { dac_override dac_read_search setgid setuid sys_nice sys_ptrace };
> allow policykit_t self:process { getsched setsched signal };
> allow policykit_t self:unix_stream_socket { accept connectto listen };
> Index: refpolicy-2.20220216/policy/modules/services/postfix.te
> ===================================================================
> --- refpolicy-2.20220216.orig/policy/modules/services/postfix.te
> +++ refpolicy-2.20220216/policy/modules/services/postfix.te
> @@ -107,6 +107,8 @@ mta_mailserver_delivery(postfix_virtual_
> # Common postfix domain local policy
> #
>
> +# for changing buffer sizes
> +dontaudit postfix_domain self:capability net_admin;
> allow postfix_domain self:capability { sys_chroot sys_nice };
> dontaudit postfix_domain self:capability sys_tty_config;
> allow postfix_domain self:process { signal_perms setpgid setsched };

Merged.

--
Chris PeBenito