* net_admin
@ 2019-01-05 1:31 Russell Coker
2019-01-05 19:33 ` net_admin Chris PeBenito
0 siblings, 1 reply; 2+ messages in thread
From: Russell Coker @ 2019-01-05 1:31 UTC (permalink / raw)
To: selinux-refpolicy
allow crond_t self:capability net_admin;
allow policykit_t self:capability net_admin;
allow postfix_cleanup_t self:capability net_admin;
allow postfix_master_t self:capability net_admin;
allow postfix_pickup_t self:capability net_admin;
allow postfix_qmgr_t self:capability net_admin;
allow postfix_smtp_t self:capability net_admin;
allow system_dbusd_t self:capability net_admin;
Above are some of the output from audit2allow on my laptop running the latest
Debian/Unstable.
Seems that some recent library changes have made lots of programs try to
change socket buffer sizes in a way that requires net_admin. This isn't a
sudden thing, it's been slowly increasing over time.
/* Allow interface configuration */
/* Allow administration of IP firewall, masquerading and accounting */
/* Allow setting debug option on sockets */
/* Allow modification of routing tables */
/* Allow setting arbitrary process / process group ownership on
sockets */
/* Allow binding to any address for transparent proxying (also via NET_RAW) */
/* Allow setting TOS (type of service) */
/* Allow setting promiscuous mode */
/* Allow clearing driver statistics */
/* Allow multicasting */
/* Allow read/write of device-specific registers */
/* Allow activation of ATM control sockets */
#define CAP_NET_ADMIN 12
Above from capability.h has the list of things that net_admin might be for. I
don't know what the debug option on sockets is or the process/process group
ownership. Setting TOS and multicast are things that many root owned
processes might want to do. I've been hesitant to put in dontaudit rules
because there are many programs like the Postfix master process which might
have a legitimate need for debug mode, process ownership, or TOS.
Below are some of the audit log analysis of denials for setting buffer size.
Those programs work ok without it.
Should we have a tunable for dontauditing this?
Also while we don't want to have the 300 capabilities that Irix apparently
had, splitting net_admin into multiple capabilities seems like a good option
(I know the probability of this is close to zero).
type=PROCTITLE msg=audit(03/09/18 10:42:19.376:20586) : proctitle=/usr/lib/
dbus-1.0/dbus-daemon-launch-helper org.kde.powerdevil.backlighthelper
type=SYSCALL msg=audit(03/09/18 10:42:19.376:20586) : arch=x86_64
syscall=setsockopt success=no exit=EPERM(Operation not permitted) a0=0x3
a1=SOL_SOCKET a2=SO_RCVBUFFORCE a3=0x7ffe74e25b30 items=0 ppid=27258 pid=27259
auid=unset uid=messagebus gid=messagebus euid=root suid=root fsuid=root
egid=messagebus sgid=messagebus fsgid=messagebus tty=(none) ses=unset
comm=dbus-daemon-lau exe=/usr/lib/dbus-1.0/dbus-daemon-launch-helper
subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(03/09/18 10:42:19.376:20586) : avc: denied { net_admin }
for pid=27259 comm=dbus-daemon-lau capability=net_admin
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=capability
permissive=0
----
type=PROCTITLE msg=audit(05/01/19 12:17:01.555:20586) : proctitle=/usr/sbin/
CRON -f
type=SYSCALL msg=audit(05/01/19 12:17:01.555:20586) : arch=x86_64
syscall=setsockopt success=no exit=EPERM(Operation not permitted) a0=0x3
a1=SOL_SOCKET a2=SO_SNDBUFFORCE a3=0x7ffc8f730a20 items=0 ppid=21686 pid=21688
auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root
fsgid=root tty=(none) ses=1120 comm=cron exe=/usr/sbin/cron
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(05/01/19 12:17:01.555:20586) : avc: denied { net_admin }
for pid=21688 comm=cron capability=net_admin
scontext=system_u:system_r:crond_t:s0-s0:c0.c1023
tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=capability
permissive=0
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
^ permalink raw reply [flat|nested] 2+ messages in thread* Re: net_admin
2019-01-05 1:31 net_admin Russell Coker
@ 2019-01-05 19:33 ` Chris PeBenito
0 siblings, 0 replies; 2+ messages in thread
From: Chris PeBenito @ 2019-01-05 19:33 UTC (permalink / raw)
To: Russell Coker, selinux-refpolicy
On 1/4/19 8:31 PM, Russell Coker wrote:
> allow crond_t self:capability net_admin;
> allow policykit_t self:capability net_admin;
> allow postfix_cleanup_t self:capability net_admin;
> allow postfix_master_t self:capability net_admin;
> allow postfix_pickup_t self:capability net_admin;
> allow postfix_qmgr_t self:capability net_admin;
> allow postfix_smtp_t self:capability net_admin;
> allow system_dbusd_t self:capability net_admin;
>
> Above are some of the output from audit2allow on my laptop running the latest
> Debian/Unstable.
>
> Seems that some recent library changes have made lots of programs try to
> change socket buffer sizes in a way that requires net_admin. This isn't a
> sudden thing, it's been slowly increasing over time.
>
> /* Allow interface configuration */
> /* Allow administration of IP firewall, masquerading and accounting */
> /* Allow setting debug option on sockets */
> /* Allow modification of routing tables */
> /* Allow setting arbitrary process / process group ownership on
> sockets */
> /* Allow binding to any address for transparent proxying (also via NET_RAW) */
> /* Allow setting TOS (type of service) */
> /* Allow setting promiscuous mode */
> /* Allow clearing driver statistics */
> /* Allow multicasting */
> /* Allow read/write of device-specific registers */
> /* Allow activation of ATM control sockets */
>
> #define CAP_NET_ADMIN 12
>
> Above from capability.h has the list of things that net_admin might be for. I
> don't know what the debug option on sockets is or the process/process group
> ownership. Setting TOS and multicast are things that many root owned
> processes might want to do. I've been hesitant to put in dontaudit rules
> because there are many programs like the Postfix master process which might
> have a legitimate need for debug mode, process ownership, or TOS.
>
> Below are some of the audit log analysis of denials for setting buffer size.
> Those programs work ok without it.
>
> Should we have a tunable for dontauditing this?
I'm not a fan of a tunable, as it seems like unnecessary overhead. If
anything I'd put it under the hide_broken_symptoms build option.
--
Chris PeBenito
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2019-01-05 19:39 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-01-05 1:31 net_admin Russell Coker
2019-01-05 19:33 ` net_admin Chris PeBenito
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).