SELinux-Refpolicy Archive on lore.kernel.org
 help / Atom feed
* net_admin
@ 2019-01-05  1:31 Russell Coker
  2019-01-05 19:33 ` net_admin Chris PeBenito
  0 siblings, 1 reply; 2+ messages in thread
From: Russell Coker @ 2019-01-05  1:31 UTC (permalink / raw)
  To: selinux-refpolicy

allow crond_t self:capability net_admin;
allow policykit_t self:capability net_admin;
allow postfix_cleanup_t self:capability net_admin;
allow postfix_master_t self:capability net_admin;
allow postfix_pickup_t self:capability net_admin;
allow postfix_qmgr_t self:capability net_admin;
allow postfix_smtp_t self:capability net_admin;
allow system_dbusd_t self:capability net_admin;

Above are some of the output from audit2allow on my laptop running the latest 
Debian/Unstable.

Seems that some recent library changes have made lots of programs try to 
change socket buffer sizes in a way that requires net_admin.  This isn't a 
sudden thing, it's been slowly increasing over time.

/* Allow interface configuration */
/* Allow administration of IP firewall, masquerading and accounting */
/* Allow setting debug option on sockets */
/* Allow modification of routing tables */
/* Allow setting arbitrary process / process group ownership on
   sockets */
/* Allow binding to any address for transparent proxying (also via NET_RAW) */
/* Allow setting TOS (type of service) */
/* Allow setting promiscuous mode */
/* Allow clearing driver statistics */
/* Allow multicasting */
/* Allow read/write of device-specific registers */
/* Allow activation of ATM control sockets */

#define CAP_NET_ADMIN        12

Above from capability.h has the list of things that net_admin might be for.  I 
don't know what the debug option on sockets is or the process/process group 
ownership.  Setting TOS and multicast are things that many root owned 
processes might want to do.  I've been hesitant to put in dontaudit rules 
because there are many programs like the Postfix master process which might 
have a legitimate need for debug mode, process ownership, or TOS.

Below are some of the audit log analysis of denials for setting buffer size.  
Those programs work ok without it.

Should we have a tunable for dontauditing this?

Also while we don't want to have the 300 capabilities that Irix apparently 
had, splitting net_admin into multiple capabilities seems like a good option 
(I know the probability of this is close to zero).

type=PROCTITLE msg=audit(03/09/18 10:42:19.376:20586) : proctitle=/usr/lib/
dbus-1.0/dbus-daemon-launch-helper org.kde.powerdevil.backlighthelper 
type=SYSCALL msg=audit(03/09/18 10:42:19.376:20586) : arch=x86_64 
syscall=setsockopt success=no exit=EPERM(Operation not permitted) a0=0x3 
a1=SOL_SOCKET a2=SO_RCVBUFFORCE a3=0x7ffe74e25b30 items=0 ppid=27258 pid=27259 
auid=unset uid=messagebus gid=messagebus euid=root suid=root fsuid=root 
egid=messagebus sgid=messagebus fsgid=messagebus tty=(none) ses=unset 
comm=dbus-daemon-lau exe=/usr/lib/dbus-1.0/dbus-daemon-launch-helper 
subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(03/09/18 10:42:19.376:20586) : avc:  denied  { net_admin } 
for  pid=27259 comm=dbus-daemon-lau capability=net_admin  
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 
tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=capability 
permissive=0 
----
type=PROCTITLE msg=audit(05/01/19 12:17:01.555:20586) : proctitle=/usr/sbin/
CRON -f 
type=SYSCALL msg=audit(05/01/19 12:17:01.555:20586) : arch=x86_64 
syscall=setsockopt success=no exit=EPERM(Operation not permitted) a0=0x3 
a1=SOL_SOCKET a2=SO_SNDBUFFORCE a3=0x7ffc8f730a20 items=0 ppid=21686 pid=21688 
auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root 
fsgid=root tty=(none) ses=1120 comm=cron exe=/usr/sbin/cron 
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(05/01/19 12:17:01.555:20586) : avc:  denied  { net_admin } 
for  pid=21688 comm=cron capability=net_admin  
scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 
tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=capability 
permissive=0

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/




^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: net_admin
  2019-01-05  1:31 net_admin Russell Coker
@ 2019-01-05 19:33 ` Chris PeBenito
  0 siblings, 0 replies; 2+ messages in thread
From: Chris PeBenito @ 2019-01-05 19:33 UTC (permalink / raw)
  To: Russell Coker, selinux-refpolicy

On 1/4/19 8:31 PM, Russell Coker wrote:
> allow crond_t self:capability net_admin;
> allow policykit_t self:capability net_admin;
> allow postfix_cleanup_t self:capability net_admin;
> allow postfix_master_t self:capability net_admin;
> allow postfix_pickup_t self:capability net_admin;
> allow postfix_qmgr_t self:capability net_admin;
> allow postfix_smtp_t self:capability net_admin;
> allow system_dbusd_t self:capability net_admin;
> 
> Above are some of the output from audit2allow on my laptop running the latest
> Debian/Unstable.
> 
> Seems that some recent library changes have made lots of programs try to
> change socket buffer sizes in a way that requires net_admin.  This isn't a
> sudden thing, it's been slowly increasing over time.
> 
> /* Allow interface configuration */
> /* Allow administration of IP firewall, masquerading and accounting */
> /* Allow setting debug option on sockets */
> /* Allow modification of routing tables */
> /* Allow setting arbitrary process / process group ownership on
>     sockets */
> /* Allow binding to any address for transparent proxying (also via NET_RAW) */
> /* Allow setting TOS (type of service) */
> /* Allow setting promiscuous mode */
> /* Allow clearing driver statistics */
> /* Allow multicasting */
> /* Allow read/write of device-specific registers */
> /* Allow activation of ATM control sockets */
> 
> #define CAP_NET_ADMIN        12
> 
> Above from capability.h has the list of things that net_admin might be for.  I
> don't know what the debug option on sockets is or the process/process group
> ownership.  Setting TOS and multicast are things that many root owned
> processes might want to do.  I've been hesitant to put in dontaudit rules
> because there are many programs like the Postfix master process which might
> have a legitimate need for debug mode, process ownership, or TOS.
> 
> Below are some of the audit log analysis of denials for setting buffer size.
> Those programs work ok without it.
> 
> Should we have a tunable for dontauditing this?

I'm not a fan of a tunable, as it seems like unnecessary overhead.  If 
anything I'd put it under the hide_broken_symptoms build option.

-- 
Chris PeBenito

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, back to index

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-01-05  1:31 net_admin Russell Coker
2019-01-05 19:33 ` net_admin Chris PeBenito

SELinux-Refpolicy Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux-refpolicy/0 selinux-refpolicy/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux-refpolicy selinux-refpolicy/ https://lore.kernel.org/selinux-refpolicy \
		selinux-refpolicy@vger.kernel.org selinux-refpolicy@archiver.kernel.org
	public-inbox-index selinux-refpolicy


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux-refpolicy


AGPL code for this site: git clone https://public-inbox.org/ public-inbox