All of lore.kernel.org
 help / color / mirror / Atom feed
* [refpolicy] dontaudit net_admin for SO_SNDBUFFORCE
@ 2017-03-21 14:46 Russell Coker
  2017-03-25 16:33 ` Chris PeBenito
  0 siblings, 1 reply; 2+ messages in thread
From: Russell Coker @ 2017-03-21 14:46 UTC (permalink / raw)
  To: refpolicy

The following patch adds dontaudit rules for where the net_admin capability
is requested due to SO_SNDBUFFORCE.  This forces the caller to use SO_SNDBUF
which gives the same result but possibly a smaller buffer.

Index: refpolicy-2.20170313/policy/modules/services/ssh.if
===================================================================
--- refpolicy-2.20170313.orig/policy/modules/services/ssh.if
+++ refpolicy-2.20170313/policy/modules/services/ssh.if
@@ -182,6 +182,8 @@ template(`ssh_server_template', `
 	files_pid_file($1_var_run_t)
 
 	allow $1_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_chroot sys_nice sys_resource sys_tty_config };
+	# net_admin is for SO_SNDBUFFORCE
+	dontaudit $1_t self:capability net_admin;
 	allow $1_t self:fifo_file rw_fifo_file_perms;
 	allow $1_t self:process { signal getsched setsched setrlimit setexec setkeycreate };
 	allow $1_t self:tcp_socket create_stream_socket_perms;
Index: refpolicy-2.20170313/policy/modules/contrib/rpcbind.te
===================================================================
--- refpolicy-2.20170313.orig/policy/modules/contrib/rpcbind.te
+++ refpolicy-2.20170313/policy/modules/contrib/rpcbind.te
@@ -26,6 +26,8 @@ files_type(rpcbind_var_lib_t)
 #
 
 allow rpcbind_t self:capability { dac_override setgid setuid sys_tty_config };
+# net_admin is for SO_SNDBUFFORCE
+dontaudit rpcbind_t self:capability net_admin;
 allow rpcbind_t self:fifo_file rw_fifo_file_perms;
 allow rpcbind_t self:unix_stream_socket { accept listen };
 allow rpcbind_t self:tcp_socket { accept listen };
Index: refpolicy-2.20170313/policy/modules/contrib/tor.te
===================================================================
--- refpolicy-2.20170313.orig/policy/modules/contrib/tor.te
+++ refpolicy-2.20170313/policy/modules/contrib/tor.te
@@ -42,6 +42,8 @@ init_daemon_pid_file(tor_var_run_t, dir,
 #
 
 allow tor_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid sys_tty_config };
+# net_admin is for SO_SNDBUFFORCE
+dontaudit tor_t self:capability net_admin;
 allow tor_t self:process signal;
 allow tor_t self:fifo_file rw_fifo_file_perms;
 allow tor_t self:unix_stream_socket { accept listen };

^ permalink raw reply	[flat|nested] 2+ messages in thread
* [refpolicy] dontaudit net_admin for SO_SNDBUFFORCE
  2017-03-21 14:46 [refpolicy] dontaudit net_admin for SO_SNDBUFFORCE Russell Coker
@ 2017-03-25 16:33 ` Chris PeBenito
  0 siblings, 0 replies; 2+ messages in thread
From: Chris PeBenito @ 2017-03-25 16:33 UTC (permalink / raw)
  To: refpolicy

On 03/21/2017 10:46 AM, Russell Coker via refpolicy wrote:
> The following patch adds dontaudit rules for where the net_admin capability
> is requested due to SO_SNDBUFFORCE.  This forces the caller to use SO_SNDBUF
> which gives the same result but possibly a smaller buffer.

Merged.


> Index: refpolicy-2.20170313/policy/modules/services/ssh.if
> ===================================================================
> --- refpolicy-2.20170313.orig/policy/modules/services/ssh.if
> +++ refpolicy-2.20170313/policy/modules/services/ssh.if
> @@ -182,6 +182,8 @@ template(`ssh_server_template', `
>  	files_pid_file($1_var_run_t)
>
>  	allow $1_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_chroot sys_nice sys_resource sys_tty_config };
> +	# net_admin is for SO_SNDBUFFORCE
> +	dontaudit $1_t self:capability net_admin;
>  	allow $1_t self:fifo_file rw_fifo_file_perms;
>  	allow $1_t self:process { signal getsched setsched setrlimit setexec setkeycreate };
>  	allow $1_t self:tcp_socket create_stream_socket_perms;
> Index: refpolicy-2.20170313/policy/modules/contrib/rpcbind.te
> ===================================================================
> --- refpolicy-2.20170313.orig/policy/modules/contrib/rpcbind.te
> +++ refpolicy-2.20170313/policy/modules/contrib/rpcbind.te
> @@ -26,6 +26,8 @@ files_type(rpcbind_var_lib_t)
>  #
>
>  allow rpcbind_t self:capability { dac_override setgid setuid sys_tty_config };
> +# net_admin is for SO_SNDBUFFORCE
> +dontaudit rpcbind_t self:capability net_admin;
>  allow rpcbind_t self:fifo_file rw_fifo_file_perms;
>  allow rpcbind_t self:unix_stream_socket { accept listen };
>  allow rpcbind_t self:tcp_socket { accept listen };
> Index: refpolicy-2.20170313/policy/modules/contrib/tor.te
> ===================================================================
> --- refpolicy-2.20170313.orig/policy/modules/contrib/tor.te
> +++ refpolicy-2.20170313/policy/modules/contrib/tor.te
> @@ -42,6 +42,8 @@ init_daemon_pid_file(tor_var_run_t, dir,
>  #
>
>  allow tor_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid sys_tty_config };
> +# net_admin is for SO_SNDBUFFORCE
> +dontaudit tor_t self:capability net_admin;
>  allow tor_t self:process signal;
>  allow tor_t self:fifo_file rw_fifo_file_perms;
>  allow tor_t self:unix_stream_socket { accept listen };
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>


-- 
Chris PeBenito

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2017-03-25 16:33 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-03-21 14:46 [refpolicy] dontaudit net_admin for SO_SNDBUFFORCE Russell Coker
2017-03-25 16:33 ` Chris PeBenito

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.