From: pebenito@ieee.org (Chris PeBenito) Date: Sat, 25 Mar 2017 12:33:42 -0400 Subject: [refpolicy] dontaudit net_admin for SO_SNDBUFFORCE In-Reply-To: <20170321144642.gfs7kri5gkefsor4@athena.coker.com.au> References: <20170321144642.gfs7kri5gkefsor4@athena.coker.com.au> Message-ID: <635b4d3a-936e-8d28-46f6-480941b4c492@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 03/21/2017 10:46 AM, Russell Coker via refpolicy wrote: > The following patch adds dontaudit rules for where the net_admin capability > is requested due to SO_SNDBUFFORCE. This forces the caller to use SO_SNDBUF > which gives the same result but possibly a smaller buffer. Merged. > Index: refpolicy-2.20170313/policy/modules/services/ssh.if > =================================================================== > --- refpolicy-2.20170313.orig/policy/modules/services/ssh.if > +++ refpolicy-2.20170313/policy/modules/services/ssh.if > @@ -182,6 +182,8 @@ template(`ssh_server_template', ` > files_pid_file($1_var_run_t) > > allow $1_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_chroot sys_nice sys_resource sys_tty_config }; > + # net_admin is for SO_SNDBUFFORCE > + dontaudit $1_t self:capability net_admin; > allow $1_t self:fifo_file rw_fifo_file_perms; > allow $1_t self:process { signal getsched setsched setrlimit setexec setkeycreate }; > allow $1_t self:tcp_socket create_stream_socket_perms; > Index: refpolicy-2.20170313/policy/modules/contrib/rpcbind.te > =================================================================== > --- refpolicy-2.20170313.orig/policy/modules/contrib/rpcbind.te > +++ refpolicy-2.20170313/policy/modules/contrib/rpcbind.te > @@ -26,6 +26,8 @@ files_type(rpcbind_var_lib_t) > # > > allow rpcbind_t self:capability { dac_override setgid setuid sys_tty_config }; > +# net_admin is for SO_SNDBUFFORCE > +dontaudit rpcbind_t self:capability net_admin; > allow rpcbind_t self:fifo_file rw_fifo_file_perms; > allow rpcbind_t self:unix_stream_socket { accept listen }; > allow rpcbind_t self:tcp_socket { accept listen }; > Index: refpolicy-2.20170313/policy/modules/contrib/tor.te > =================================================================== > --- refpolicy-2.20170313.orig/policy/modules/contrib/tor.te > +++ refpolicy-2.20170313/policy/modules/contrib/tor.te > @@ -42,6 +42,8 @@ init_daemon_pid_file(tor_var_run_t, dir, > # > > allow tor_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid sys_tty_config }; > +# net_admin is for SO_SNDBUFFORCE > +dontaudit tor_t self:capability net_admin; > allow tor_t self:process signal; > allow tor_t self:fifo_file rw_fifo_file_perms; > allow tor_t self:unix_stream_socket { accept listen }; > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy > -- Chris PeBenito