Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.1 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_PASS, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 599A6C43387 for ; Sat, 5 Jan 2019 01:31:14 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 1C74621872 for ; Sat, 5 Jan 2019 01:31:14 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=coker.com.au header.i=@coker.com.au header.b="HXOqmZCr" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726146AbfAEBbN (ORCPT ); Fri, 4 Jan 2019 20:31:13 -0500 Received: from smtp.sws.net.au ([46.4.88.250]:35764 "EHLO smtp.sws.net.au" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725862AbfAEBbN (ORCPT ); Fri, 4 Jan 2019 20:31:13 -0500 Received: from liv.localnet (localhost [127.0.0.1]) by smtp.sws.net.au (Postfix) with ESMTP id DDE44F342 for ; Sat, 5 Jan 2019 12:31:09 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au; s=2008; t=1546651870; bh=m5gUbSjOrBj8TOHMd/XtT5MKQ8FuGChlbMBKOZQ+FZw=; l=3939; h=From:To:Subject:Date:From; b=HXOqmZCrNTI1nJ1BKjBbWgfZWQVNHv1DsnR2fTTV23l7LCfY7deUTBAai98kIm8fs XZTLqaKZzW4R+BGcFsLO0NzuHt6LzmuNysEoe4Coq9APiw7vSpZ6QX0AWJdSB8k577 Dj6am5BlLrn/ofjvWH6kcEgTeUkawsvkXsU7TveQ= From: Russell Coker To: selinux-refpolicy@vger.kernel.org Subject: net_admin Date: Sat, 05 Jan 2019 12:31:02 +1100 Message-ID: <3956956.VbaQatea7V@liv> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org allow crond_t self:capability net_admin; allow policykit_t self:capability net_admin; allow postfix_cleanup_t self:capability net_admin; allow postfix_master_t self:capability net_admin; allow postfix_pickup_t self:capability net_admin; allow postfix_qmgr_t self:capability net_admin; allow postfix_smtp_t self:capability net_admin; allow system_dbusd_t self:capability net_admin; Above are some of the output from audit2allow on my laptop running the latest Debian/Unstable. Seems that some recent library changes have made lots of programs try to change socket buffer sizes in a way that requires net_admin. This isn't a sudden thing, it's been slowly increasing over time. /* Allow interface configuration */ /* Allow administration of IP firewall, masquerading and accounting */ /* Allow setting debug option on sockets */ /* Allow modification of routing tables */ /* Allow setting arbitrary process / process group ownership on sockets */ /* Allow binding to any address for transparent proxying (also via NET_RAW) */ /* Allow setting TOS (type of service) */ /* Allow setting promiscuous mode */ /* Allow clearing driver statistics */ /* Allow multicasting */ /* Allow read/write of device-specific registers */ /* Allow activation of ATM control sockets */ #define CAP_NET_ADMIN 12 Above from capability.h has the list of things that net_admin might be for. I don't know what the debug option on sockets is or the process/process group ownership. Setting TOS and multicast are things that many root owned processes might want to do. I've been hesitant to put in dontaudit rules because there are many programs like the Postfix master process which might have a legitimate need for debug mode, process ownership, or TOS. Below are some of the audit log analysis of denials for setting buffer size. Those programs work ok without it. Should we have a tunable for dontauditing this? Also while we don't want to have the 300 capabilities that Irix apparently had, splitting net_admin into multiple capabilities seems like a good option (I know the probability of this is close to zero). type=PROCTITLE msg=audit(03/09/18 10:42:19.376:20586) : proctitle=/usr/lib/ dbus-1.0/dbus-daemon-launch-helper org.kde.powerdevil.backlighthelper type=SYSCALL msg=audit(03/09/18 10:42:19.376:20586) : arch=x86_64 syscall=setsockopt success=no exit=EPERM(Operation not permitted) a0=0x3 a1=SOL_SOCKET a2=SO_RCVBUFFORCE a3=0x7ffe74e25b30 items=0 ppid=27258 pid=27259 auid=unset uid=messagebus gid=messagebus euid=root suid=root fsuid=root egid=messagebus sgid=messagebus fsgid=messagebus tty=(none) ses=unset comm=dbus-daemon-lau exe=/usr/lib/dbus-1.0/dbus-daemon-launch-helper subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(03/09/18 10:42:19.376:20586) : avc: denied { net_admin } for pid=27259 comm=dbus-daemon-lau capability=net_admin scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=capability permissive=0 ---- type=PROCTITLE msg=audit(05/01/19 12:17:01.555:20586) : proctitle=/usr/sbin/ CRON -f type=SYSCALL msg=audit(05/01/19 12:17:01.555:20586) : arch=x86_64 syscall=setsockopt success=no exit=EPERM(Operation not permitted) a0=0x3 a1=SOL_SOCKET a2=SO_SNDBUFFORCE a3=0x7ffc8f730a20 items=0 ppid=21686 pid=21688 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=1120 comm=cron exe=/usr/sbin/cron subj=system_u:system_r:crond_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(05/01/19 12:17:01.555:20586) : avc: denied { net_admin } for pid=21688 comm=cron capability=net_admin scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=capability permissive=0 -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/