selinux-refpolicy.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Chris PeBenito <pebenito@ieee.org>
To: Russell Coker <russell@coker.com.au>, selinux-refpolicy@vger.kernel.org
Subject: Re: net_admin
Date: Sat, 5 Jan 2019 14:33:14 -0500	[thread overview]
Message-ID: <241cb8eb-6c7b-4f6f-3a8b-dc3ff4af07b3@ieee.org> (raw)
In-Reply-To: <3956956.VbaQatea7V@liv>

On 1/4/19 8:31 PM, Russell Coker wrote:
> allow crond_t self:capability net_admin;
> allow policykit_t self:capability net_admin;
> allow postfix_cleanup_t self:capability net_admin;
> allow postfix_master_t self:capability net_admin;
> allow postfix_pickup_t self:capability net_admin;
> allow postfix_qmgr_t self:capability net_admin;
> allow postfix_smtp_t self:capability net_admin;
> allow system_dbusd_t self:capability net_admin;
> 
> Above are some of the output from audit2allow on my laptop running the latest
> Debian/Unstable.
> 
> Seems that some recent library changes have made lots of programs try to
> change socket buffer sizes in a way that requires net_admin.  This isn't a
> sudden thing, it's been slowly increasing over time.
> 
> /* Allow interface configuration */
> /* Allow administration of IP firewall, masquerading and accounting */
> /* Allow setting debug option on sockets */
> /* Allow modification of routing tables */
> /* Allow setting arbitrary process / process group ownership on
>     sockets */
> /* Allow binding to any address for transparent proxying (also via NET_RAW) */
> /* Allow setting TOS (type of service) */
> /* Allow setting promiscuous mode */
> /* Allow clearing driver statistics */
> /* Allow multicasting */
> /* Allow read/write of device-specific registers */
> /* Allow activation of ATM control sockets */
> 
> #define CAP_NET_ADMIN        12
> 
> Above from capability.h has the list of things that net_admin might be for.  I
> don't know what the debug option on sockets is or the process/process group
> ownership.  Setting TOS and multicast are things that many root owned
> processes might want to do.  I've been hesitant to put in dontaudit rules
> because there are many programs like the Postfix master process which might
> have a legitimate need for debug mode, process ownership, or TOS.
> 
> Below are some of the audit log analysis of denials for setting buffer size.
> Those programs work ok without it.
> 
> Should we have a tunable for dontauditing this?

I'm not a fan of a tunable, as it seems like unnecessary overhead.  If 
anything I'd put it under the hide_broken_symptoms build option.

-- 
Chris PeBenito

      reply	other threads:[~2019-01-05 19:39 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-01-05  1:31 net_admin Russell Coker
2019-01-05 19:33 ` Chris PeBenito [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=241cb8eb-6c7b-4f6f-3a8b-dc3ff4af07b3@ieee.org \
    --to=pebenito@ieee.org \
    --cc=russell@coker.com.au \
    --cc=selinux-refpolicy@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).