Received: by 2002:a05:6a10:7420:0:0:0:0 with SMTP id hk32csp823669pxb; Wed, 16 Feb 2022 05:19:24 -0800 (PST) X-Google-Smtp-Source: ABdhPJyOHt5dy+veFnJnU3e8Qc1ibI3nBTvGwIf8Q4cRh8BFSyw7Dbd8jpX9WXZ3875giI+yf3pw X-Received: by 2002:a17:906:7751:b0:6ce:e3c:81a6 with SMTP id o17-20020a170906775100b006ce0e3c81a6mr2222329ejn.278.1645017564169; Wed, 16 Feb 2022 05:19:24 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1645017564; cv=none; d=google.com; s=arc-20160816; b=ZjW32W8TL1YbZz/sL3RhJtXRJnE1eiZVXDDRty7EtjjZVVO87sE53GSjJQwz0OHRnZ l73W7OkGFJr0H09RB6ZwnH5is9GIpwsci4HD1CFUAtuoB4R+/n6ezCpAu/enOfDSskGs P6HXlrh6xT3cqazFpbK9Nc3qqAcb9QmnrpJQC252YMWrTIFii5oSiOmegJEfo1fhfWMf B2GXmUFM8+uRSO8YrJj44C1hijFJlL/tGiHY3BC3pgelfZoEJal3OT9eIVVC6f5tVEpU dgcxTf+Mjdq9D+uQ3otVrPPYoZufandcCH+Twi4ah8ylkXwyXqaislGUnCfTPmgcHT96 3N8A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-disposition:mime-version:message-id :subject:to:from:date:dkim-signature; bh=nk+3hanjXlHhSsEM6Yqima8QLwJgyM5vaZ1aVrrTNoY=; b=ywx5LDqJdBYXHZ/v6qEWqUCr2vqwSRygIzu5uuZTQ8jly+GwOyDUDfjk/RF7qgtyGy Dk3xPB4qQGNDXwbrbMea6lYJITyuG8js01C8ngG0VmAAAz4rJr5ZusPr6hcrML53+rRf ci7JlFKYkPe5RHViZSOoNJuD94JnlasaqeMJRmb+r+Xi6xqRM3ZapLGOYMfIOa2h8UA9 O0npLoRNTN2xOSu51POJQIFI2Vgze57XFVXtx7oKpWMOiprbhJpUH7K8GHyJ7t+W/lKC ZCWtz5rK2yzsF1pqprhtvrwOH2s3lKTFBomwGN7tWpSiSiGci0Ch8cuYam8avG9a6yYH Kdbw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@coker.com.au header.s=2008 header.b=c55C3zzR; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id hc37si239723ejc.268.2022.02.16.05.19.18; Wed, 16 Feb 2022 05:19:24 -0800 (PST) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@coker.com.au header.s=2008 header.b=c55C3zzR; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233721AbiBPNHz (ORCPT + 22 others); Wed, 16 Feb 2022 08:07:55 -0500 Received: from mxb-00190b01.gslb.pphosted.com ([23.128.96.19]:54788 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233727AbiBPNHx (ORCPT ); Wed, 16 Feb 2022 08:07:53 -0500 Received: from smtp.sws.net.au (smtp.sws.net.au [IPv6:2a01:4f8:201:1e6::dada:cafe]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 685A81DE599 for ; Wed, 16 Feb 2022 05:07:38 -0800 (PST) Received: from xev.coker.com.au (localhost [127.0.0.1]) by smtp.sws.net.au (Postfix) with ESMTP id 464E1FDDD for ; Thu, 17 Feb 2022 00:07:35 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au; s=2008; t=1645016855; bh=nk+3hanjXlHhSsEM6Yqima8QLwJgyM5vaZ1aVrrTNoY=; l=2704; h=Date:From:To:Subject:From; b=c55C3zzRqs2IZ78r+T2HZDVkCcL1r8Sk61AheCMSZpD4wFnQa7sBDLFSZOGkT0BeV sZPxYQ+g6yYv/iuKdKtr5kyxrMt5lTJthwNWq6OwyZkRJQleRUTxwYaUkdRHCCdNN9 4wetKLXdccoOeorriUWN5nRrLBDpYdi3VGW3fJ5E= Received: by xev.coker.com.au (Postfix, from userid 1001) id BCB451730F19; Thu, 17 Feb 2022 00:07:30 +1100 (AEDT) Date: Thu, 17 Feb 2022 00:07:30 +1100 From: Russell Coker To: selinux-refpolicy@vger.kernel.org Subject: [PATCH] dontaudit net_admin without hide_broken_symptoms Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org Sending this patch again without the ifdef, I agree that the ifdef isn't very useful nowadays. Signed-off-by: Russell Coker Index: refpolicy-2.20220216/policy/modules/services/cron.te =================================================================== --- refpolicy-2.20220216.orig/policy/modules/services/cron.te +++ refpolicy-2.20220216/policy/modules/services/cron.te @@ -172,6 +172,8 @@ tunable_policy(`fcron_crond',` # Daemon local policy # +# for changing buffer sizes +dontaudit crond_t self:capability net_admin; allow crond_t self:capability { chown dac_override dac_read_search fowner setgid setuid sys_nice sys_resource }; dontaudit crond_t self:capability { sys_tty_config }; Index: refpolicy-2.20220216/policy/modules/services/dbus.te =================================================================== --- refpolicy-2.20220216.orig/policy/modules/services/dbus.te +++ refpolicy-2.20220216/policy/modules/services/dbus.te @@ -67,6 +67,8 @@ ifdef(`enable_mls',` # Local policy # +# for changing buffer sizes +dontaudit system_dbusd_t self:capability net_admin; allow system_dbusd_t self:capability { dac_override setgid setpcap setuid sys_resource }; dontaudit system_dbusd_t self:capability sys_tty_config; allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap setrlimit }; Index: refpolicy-2.20220216/policy/modules/services/policykit.te =================================================================== --- refpolicy-2.20220216.orig/policy/modules/services/policykit.te +++ refpolicy-2.20220216/policy/modules/services/policykit.te @@ -68,6 +68,8 @@ miscfiles_read_localization(policykit_do # Local policy # +# for changing buffer sizes +dontaudit policykit_t self:capability net_admin; allow policykit_t self:capability { dac_override dac_read_search setgid setuid sys_nice sys_ptrace }; allow policykit_t self:process { getsched setsched signal }; allow policykit_t self:unix_stream_socket { accept connectto listen }; Index: refpolicy-2.20220216/policy/modules/services/postfix.te =================================================================== --- refpolicy-2.20220216.orig/policy/modules/services/postfix.te +++ refpolicy-2.20220216/policy/modules/services/postfix.te @@ -107,6 +107,8 @@ mta_mailserver_delivery(postfix_virtual_ # Common postfix domain local policy # +# for changing buffer sizes +dontaudit postfix_domain self:capability net_admin; allow postfix_domain self:capability { sys_chroot sys_nice }; dontaudit postfix_domain self:capability sys_tty_config; allow postfix_domain self:process { signal_perms setpgid setsched };