The following patch adds dontaudit rules for where the net_admin capability
is requested due to SO_SNDBUFFORCE. This forces the caller to use SO_SNDBUF
which gives the same result but possibly a smaller buffer.
Index: refpolicy-2.20170313/policy/modules/services/ssh.if
===================================================================
--- refpolicy-2.20170313.orig/policy/modules/services/ssh.if
+++ refpolicy-2.20170313/policy/modules/services/ssh.if
@@ -182,6 +182,8 @@ template(`ssh_server_template', `
files_pid_file($1_var_run_t)
allow $1_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_chroot sys_nice sys_resource sys_tty_config };
+ # net_admin is for SO_SNDBUFFORCE
+ dontaudit $1_t self:capability net_admin;
allow $1_t self:fifo_file rw_fifo_file_perms;
allow $1_t self:process { signal getsched setsched setrlimit setexec setkeycreate };
allow $1_t self:tcp_socket create_stream_socket_perms;
Index: refpolicy-2.20170313/policy/modules/contrib/rpcbind.te
===================================================================
--- refpolicy-2.20170313.orig/policy/modules/contrib/rpcbind.te
+++ refpolicy-2.20170313/policy/modules/contrib/rpcbind.te
@@ -26,6 +26,8 @@ files_type(rpcbind_var_lib_t)
#
allow rpcbind_t self:capability { dac_override setgid setuid sys_tty_config };
+# net_admin is for SO_SNDBUFFORCE
+dontaudit rpcbind_t self:capability net_admin;
allow rpcbind_t self:fifo_file rw_fifo_file_perms;
allow rpcbind_t self:unix_stream_socket { accept listen };
allow rpcbind_t self:tcp_socket { accept listen };
Index: refpolicy-2.20170313/policy/modules/contrib/tor.te
===================================================================
--- refpolicy-2.20170313.orig/policy/modules/contrib/tor.te
+++ refpolicy-2.20170313/policy/modules/contrib/tor.te
@@ -42,6 +42,8 @@ init_daemon_pid_file(tor_var_run_t, dir,
#
allow tor_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid sys_tty_config };
+# net_admin is for SO_SNDBUFFORCE
+dontaudit tor_t self:capability net_admin;
allow tor_t self:process signal;
allow tor_t self:fifo_file rw_fifo_file_perms;
allow tor_t self:unix_stream_socket { accept listen };
On 03/21/2017 10:46 AM, Russell Coker via refpolicy wrote:
> The following patch adds dontaudit rules for where the net_admin capability
> is requested due to SO_SNDBUFFORCE. This forces the caller to use SO_SNDBUF
> which gives the same result but possibly a smaller buffer.
Merged.
> Index: refpolicy-2.20170313/policy/modules/services/ssh.if
> ===================================================================
> --- refpolicy-2.20170313.orig/policy/modules/services/ssh.if
> +++ refpolicy-2.20170313/policy/modules/services/ssh.if
> @@ -182,6 +182,8 @@ template(`ssh_server_template', `
> files_pid_file($1_var_run_t)
>
> allow $1_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_chroot sys_nice sys_resource sys_tty_config };
> + # net_admin is for SO_SNDBUFFORCE
> + dontaudit $1_t self:capability net_admin;
> allow $1_t self:fifo_file rw_fifo_file_perms;
> allow $1_t self:process { signal getsched setsched setrlimit setexec setkeycreate };
> allow $1_t self:tcp_socket create_stream_socket_perms;
> Index: refpolicy-2.20170313/policy/modules/contrib/rpcbind.te
> ===================================================================
> --- refpolicy-2.20170313.orig/policy/modules/contrib/rpcbind.te
> +++ refpolicy-2.20170313/policy/modules/contrib/rpcbind.te
> @@ -26,6 +26,8 @@ files_type(rpcbind_var_lib_t)
> #
>
> allow rpcbind_t self:capability { dac_override setgid setuid sys_tty_config };
> +# net_admin is for SO_SNDBUFFORCE
> +dontaudit rpcbind_t self:capability net_admin;
> allow rpcbind_t self:fifo_file rw_fifo_file_perms;
> allow rpcbind_t self:unix_stream_socket { accept listen };
> allow rpcbind_t self:tcp_socket { accept listen };
> Index: refpolicy-2.20170313/policy/modules/contrib/tor.te
> ===================================================================
> --- refpolicy-2.20170313.orig/policy/modules/contrib/tor.te
> +++ refpolicy-2.20170313/policy/modules/contrib/tor.te
> @@ -42,6 +42,8 @@ init_daemon_pid_file(tor_var_run_t, dir,
> #
>
> allow tor_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid sys_tty_config };
> +# net_admin is for SO_SNDBUFFORCE
> +dontaudit tor_t self:capability net_admin;
> allow tor_t self:process signal;
> allow tor_t self:fifo_file rw_fifo_file_perms;
> allow tor_t self:unix_stream_socket { accept listen };
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
--
Chris PeBenito