From: Chris PeBenito <pebenito@ieee.org>
To: Russell Coker <russell@coker.com.au>, selinux-refpolicy@vger.kernel.org
Subject: Re: net_admin
Date: Sat, 5 Jan 2019 14:33:14 -0500 [thread overview]
Message-ID: <241cb8eb-6c7b-4f6f-3a8b-dc3ff4af07b3@ieee.org> (raw)
In-Reply-To: <3956956.VbaQatea7V@liv>
On 1/4/19 8:31 PM, Russell Coker wrote:
> allow crond_t self:capability net_admin;
> allow policykit_t self:capability net_admin;
> allow postfix_cleanup_t self:capability net_admin;
> allow postfix_master_t self:capability net_admin;
> allow postfix_pickup_t self:capability net_admin;
> allow postfix_qmgr_t self:capability net_admin;
> allow postfix_smtp_t self:capability net_admin;
> allow system_dbusd_t self:capability net_admin;
>
> Above are some of the output from audit2allow on my laptop running the latest
> Debian/Unstable.
>
> Seems that some recent library changes have made lots of programs try to
> change socket buffer sizes in a way that requires net_admin. This isn't a
> sudden thing, it's been slowly increasing over time.
>
> /* Allow interface configuration */
> /* Allow administration of IP firewall, masquerading and accounting */
> /* Allow setting debug option on sockets */
> /* Allow modification of routing tables */
> /* Allow setting arbitrary process / process group ownership on
> sockets */
> /* Allow binding to any address for transparent proxying (also via NET_RAW) */
> /* Allow setting TOS (type of service) */
> /* Allow setting promiscuous mode */
> /* Allow clearing driver statistics */
> /* Allow multicasting */
> /* Allow read/write of device-specific registers */
> /* Allow activation of ATM control sockets */
>
> #define CAP_NET_ADMIN 12
>
> Above from capability.h has the list of things that net_admin might be for. I
> don't know what the debug option on sockets is or the process/process group
> ownership. Setting TOS and multicast are things that many root owned
> processes might want to do. I've been hesitant to put in dontaudit rules
> because there are many programs like the Postfix master process which might
> have a legitimate need for debug mode, process ownership, or TOS.
>
> Below are some of the audit log analysis of denials for setting buffer size.
> Those programs work ok without it.
>
> Should we have a tunable for dontauditing this?
I'm not a fan of a tunable, as it seems like unnecessary overhead. If
anything I'd put it under the hide_broken_symptoms build option.
--
Chris PeBenito
prev parent reply other threads:[~2019-01-05 19:39 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-05 1:31 net_admin Russell Coker
2019-01-05 19:33 ` Chris PeBenito [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=241cb8eb-6c7b-4f6f-3a8b-dc3ff4af07b3@ieee.org \
--to=pebenito@ieee.org \
--cc=russell@coker.com.au \
--cc=selinux-refpolicy@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).