From: russell@coker.com.au (Russell Coker)
Date: Wed, 22 Mar 2017 01:46:43 +1100
Subject: [refpolicy] dontaudit net_admin for SO_SNDBUFFORCE
Message-ID: <20170321144642.gfs7kri5gkefsor4@athena.coker.com.au>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

The following patch adds dontaudit rules for where the net_admin capability
is requested due to SO_SNDBUFFORCE.  This forces the caller to use SO_SNDBUF
which gives the same result but possibly a smaller buffer.

Index: refpolicy-2.20170313/policy/modules/services/ssh.if
===================================================================
--- refpolicy-2.20170313.orig/policy/modules/services/ssh.if
+++ refpolicy-2.20170313/policy/modules/services/ssh.if
@@ -182,6 +182,8 @@ template(`ssh_server_template', `
 	files_pid_file($1_var_run_t)
 
 	allow $1_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_chroot sys_nice sys_resource sys_tty_config };
+	# net_admin is for SO_SNDBUFFORCE
+	dontaudit $1_t self:capability net_admin;
 	allow $1_t self:fifo_file rw_fifo_file_perms;
 	allow $1_t self:process { signal getsched setsched setrlimit setexec setkeycreate };
 	allow $1_t self:tcp_socket create_stream_socket_perms;
Index: refpolicy-2.20170313/policy/modules/contrib/rpcbind.te
===================================================================
--- refpolicy-2.20170313.orig/policy/modules/contrib/rpcbind.te
+++ refpolicy-2.20170313/policy/modules/contrib/rpcbind.te
@@ -26,6 +26,8 @@ files_type(rpcbind_var_lib_t)
 #
 
 allow rpcbind_t self:capability { dac_override setgid setuid sys_tty_config };
+# net_admin is for SO_SNDBUFFORCE
+dontaudit rpcbind_t self:capability net_admin;
 allow rpcbind_t self:fifo_file rw_fifo_file_perms;
 allow rpcbind_t self:unix_stream_socket { accept listen };
 allow rpcbind_t self:tcp_socket { accept listen };
Index: refpolicy-2.20170313/policy/modules/contrib/tor.te
===================================================================
--- refpolicy-2.20170313.orig/policy/modules/contrib/tor.te
+++ refpolicy-2.20170313/policy/modules/contrib/tor.te
@@ -42,6 +42,8 @@ init_daemon_pid_file(tor_var_run_t, dir,
 #
 
 allow tor_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid sys_tty_config };
+# net_admin is for SO_SNDBUFFORCE
+dontaudit tor_t self:capability net_admin;
 allow tor_t self:process signal;
 allow tor_t self:fifo_file rw_fifo_file_perms;
 allow tor_t self:unix_stream_socket { accept listen };