From: Russell Coker <russell@coker.com.au>
To: selinux-refpolicy@vger.kernel.org
Subject: net_admin
Date: Sat, 05 Jan 2019 12:31:02 +1100 [thread overview]
Message-ID: <3956956.VbaQatea7V@liv> (raw)
allow crond_t self:capability net_admin;
allow policykit_t self:capability net_admin;
allow postfix_cleanup_t self:capability net_admin;
allow postfix_master_t self:capability net_admin;
allow postfix_pickup_t self:capability net_admin;
allow postfix_qmgr_t self:capability net_admin;
allow postfix_smtp_t self:capability net_admin;
allow system_dbusd_t self:capability net_admin;
Above are some of the output from audit2allow on my laptop running the latest
Debian/Unstable.
Seems that some recent library changes have made lots of programs try to
change socket buffer sizes in a way that requires net_admin. This isn't a
sudden thing, it's been slowly increasing over time.
/* Allow interface configuration */
/* Allow administration of IP firewall, masquerading and accounting */
/* Allow setting debug option on sockets */
/* Allow modification of routing tables */
/* Allow setting arbitrary process / process group ownership on
sockets */
/* Allow binding to any address for transparent proxying (also via NET_RAW) */
/* Allow setting TOS (type of service) */
/* Allow setting promiscuous mode */
/* Allow clearing driver statistics */
/* Allow multicasting */
/* Allow read/write of device-specific registers */
/* Allow activation of ATM control sockets */
#define CAP_NET_ADMIN 12
Above from capability.h has the list of things that net_admin might be for. I
don't know what the debug option on sockets is or the process/process group
ownership. Setting TOS and multicast are things that many root owned
processes might want to do. I've been hesitant to put in dontaudit rules
because there are many programs like the Postfix master process which might
have a legitimate need for debug mode, process ownership, or TOS.
Below are some of the audit log analysis of denials for setting buffer size.
Those programs work ok without it.
Should we have a tunable for dontauditing this?
Also while we don't want to have the 300 capabilities that Irix apparently
had, splitting net_admin into multiple capabilities seems like a good option
(I know the probability of this is close to zero).
type=PROCTITLE msg=audit(03/09/18 10:42:19.376:20586) : proctitle=/usr/lib/
dbus-1.0/dbus-daemon-launch-helper org.kde.powerdevil.backlighthelper
type=SYSCALL msg=audit(03/09/18 10:42:19.376:20586) : arch=x86_64
syscall=setsockopt success=no exit=EPERM(Operation not permitted) a0=0x3
a1=SOL_SOCKET a2=SO_RCVBUFFORCE a3=0x7ffe74e25b30 items=0 ppid=27258 pid=27259
auid=unset uid=messagebus gid=messagebus euid=root suid=root fsuid=root
egid=messagebus sgid=messagebus fsgid=messagebus tty=(none) ses=unset
comm=dbus-daemon-lau exe=/usr/lib/dbus-1.0/dbus-daemon-launch-helper
subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(03/09/18 10:42:19.376:20586) : avc: denied { net_admin }
for pid=27259 comm=dbus-daemon-lau capability=net_admin
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=capability
permissive=0
----
type=PROCTITLE msg=audit(05/01/19 12:17:01.555:20586) : proctitle=/usr/sbin/
CRON -f
type=SYSCALL msg=audit(05/01/19 12:17:01.555:20586) : arch=x86_64
syscall=setsockopt success=no exit=EPERM(Operation not permitted) a0=0x3
a1=SOL_SOCKET a2=SO_SNDBUFFORCE a3=0x7ffc8f730a20 items=0 ppid=21686 pid=21688
auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root
fsgid=root tty=(none) ses=1120 comm=cron exe=/usr/sbin/cron
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(05/01/19 12:17:01.555:20586) : avc: denied { net_admin }
for pid=21688 comm=cron capability=net_admin
scontext=system_u:system_r:crond_t:s0-s0:c0.c1023
tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=capability
permissive=0
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
next reply other threads:[~2019-01-05 1:31 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-05 1:31 Russell Coker [this message]
2019-01-05 19:33 ` net_admin Chris PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3956956.VbaQatea7V@liv \
--to=russell@coker.com.au \
--cc=selinux-refpolicy@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).