From: russell@coker.com.au (Russell Coker) Date: Wed, 22 Mar 2017 01:46:43 +1100 Subject: [refpolicy] dontaudit net_admin for SO_SNDBUFFORCE Message-ID: <20170321144642.gfs7kri5gkefsor4@athena.coker.com.au> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com The following patch adds dontaudit rules for where the net_admin capability is requested due to SO_SNDBUFFORCE. This forces the caller to use SO_SNDBUF which gives the same result but possibly a smaller buffer. Index: refpolicy-2.20170313/policy/modules/services/ssh.if =================================================================== --- refpolicy-2.20170313.orig/policy/modules/services/ssh.if +++ refpolicy-2.20170313/policy/modules/services/ssh.if @@ -182,6 +182,8 @@ template(`ssh_server_template', ` files_pid_file($1_var_run_t) allow $1_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_chroot sys_nice sys_resource sys_tty_config }; + # net_admin is for SO_SNDBUFFORCE + dontaudit $1_t self:capability net_admin; allow $1_t self:fifo_file rw_fifo_file_perms; allow $1_t self:process { signal getsched setsched setrlimit setexec setkeycreate }; allow $1_t self:tcp_socket create_stream_socket_perms; Index: refpolicy-2.20170313/policy/modules/contrib/rpcbind.te =================================================================== --- refpolicy-2.20170313.orig/policy/modules/contrib/rpcbind.te +++ refpolicy-2.20170313/policy/modules/contrib/rpcbind.te @@ -26,6 +26,8 @@ files_type(rpcbind_var_lib_t) # allow rpcbind_t self:capability { dac_override setgid setuid sys_tty_config }; +# net_admin is for SO_SNDBUFFORCE +dontaudit rpcbind_t self:capability net_admin; allow rpcbind_t self:fifo_file rw_fifo_file_perms; allow rpcbind_t self:unix_stream_socket { accept listen }; allow rpcbind_t self:tcp_socket { accept listen }; Index: refpolicy-2.20170313/policy/modules/contrib/tor.te =================================================================== --- refpolicy-2.20170313.orig/policy/modules/contrib/tor.te +++ refpolicy-2.20170313/policy/modules/contrib/tor.te @@ -42,6 +42,8 @@ init_daemon_pid_file(tor_var_run_t, dir, # allow tor_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid sys_tty_config }; +# net_admin is for SO_SNDBUFFORCE +dontaudit tor_t self:capability net_admin; allow tor_t self:process signal; allow tor_t self:fifo_file rw_fifo_file_perms; allow tor_t self:unix_stream_socket { accept listen };