selinux-refpolicy.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] dontaudit net_admin
@ 2022-02-13 10:22 Russell Coker
  2022-02-16 11:40 ` Chris PeBenito
  0 siblings, 1 reply; 2+ messages in thread
From: Russell Coker @ 2022-02-13 10:22 UTC (permalink / raw)
  To: selinux-refpolicy

This patch has dontaudit rules for some net_admin accesses that are from
changing buffer sizes.  The programs in question work fine like this.

I think this is worthy of inclusion.

Signed-off-by: Russell Coker <russell@coker.com.au>

Index: refpolicy-2.20220106/policy/modules/services/cron.te
===================================================================
--- refpolicy-2.20220106.orig/policy/modules/services/cron.te
+++ refpolicy-2.20220106/policy/modules/services/cron.te
@@ -176,6 +176,10 @@ tunable_policy(`fcron_crond',`
 # Daemon local policy
 #
 
+ifdef(`hide_broken_symptoms',`
+# for changing buffer sizes
+dontaudit crond_t self:capability net_admin;
+')
 allow crond_t self:capability { chown dac_override dac_read_search fowner setgid setuid sys_nice sys_resource };
 dontaudit crond_t self:capability { sys_tty_config };
 
Index: refpolicy-2.20220106/policy/modules/services/dbus.te
===================================================================
--- refpolicy-2.20220106.orig/policy/modules/services/dbus.te
+++ refpolicy-2.20220106/policy/modules/services/dbus.te
@@ -71,6 +71,10 @@ ifdef(`enable_mls',`
 # Local policy
 #
 
+ifdef(`hide_broken_symptoms',`
+# for changing buffer sizes
+dontaudit system_dbusd_t self:capability net_admin;
+')
 allow system_dbusd_t self:capability { dac_override setgid setpcap setuid sys_resource };
 dontaudit system_dbusd_t self:capability sys_tty_config;
 allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap setrlimit };
Index: refpolicy-2.20220106/policy/modules/services/policykit.te
===================================================================
--- refpolicy-2.20220106.orig/policy/modules/services/policykit.te
+++ refpolicy-2.20220106/policy/modules/services/policykit.te
@@ -68,6 +68,10 @@ miscfiles_read_localization(policykit_do
 # Local policy
 #
 
+ifdef(`hide_broken_symptoms',`
+# for changing buffer sizes
+dontaudit policykit_t self:capability net_admin;
+')
 allow policykit_t self:capability { dac_override dac_read_search setgid setuid sys_nice sys_ptrace };
 allow policykit_t self:process { getsched setsched signal };
 allow policykit_t self:unix_stream_socket { accept connectto listen };
Index: refpolicy-2.20220106/policy/modules/services/postfix.te
===================================================================
--- refpolicy-2.20220106.orig/policy/modules/services/postfix.te
+++ refpolicy-2.20220106/policy/modules/services/postfix.te
@@ -107,6 +107,10 @@ mta_mailserver_delivery(postfix_virtual_
 # Common postfix domain local policy
 #
 
+ifdef(`hide_broken_symptoms',`
+# for changing buffer sizes
+dontaudit postfix_domain self:capability net_admin;
+')
 allow postfix_domain self:capability { sys_chroot sys_nice };
 dontaudit postfix_domain self:capability sys_tty_config;
 allow postfix_domain self:process { signal_perms setpgid setsched };

^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: [PATCH] dontaudit net_admin
  2022-02-13 10:22 [PATCH] dontaudit net_admin Russell Coker
@ 2022-02-16 11:40 ` Chris PeBenito
  0 siblings, 0 replies; 2+ messages in thread
From: Chris PeBenito @ 2022-02-16 11:40 UTC (permalink / raw)
  To: Russell Coker, selinux-refpolicy

On 2/13/22 05:22, Russell Coker wrote:
> This patch has dontaudit rules for some net_admin accesses that are from
> changing buffer sizes.  The programs in question work fine like this.
> 
> I think this is worthy of inclusion.
> 
> Signed-off-by: Russell Coker <russell@coker.com.au>

I'm onboard with the rule additions but am unsure on the the broken symptoms.  I 
I'm unsure having that block has real value, since it's always on and I've never 
heard anyone turning it off.


> Index: refpolicy-2.20220106/policy/modules/services/cron.te
> ===================================================================
> --- refpolicy-2.20220106.orig/policy/modules/services/cron.te
> +++ refpolicy-2.20220106/policy/modules/services/cron.te
> @@ -176,6 +176,10 @@ tunable_policy(`fcron_crond',`
>   # Daemon local policy
>   #
>   
> +ifdef(`hide_broken_symptoms',`
> +# for changing buffer sizes
> +dontaudit crond_t self:capability net_admin;
> +')
>   allow crond_t self:capability { chown dac_override dac_read_search fowner setgid setuid sys_nice sys_resource };
>   dontaudit crond_t self:capability { sys_tty_config };
>   
> Index: refpolicy-2.20220106/policy/modules/services/dbus.te
> ===================================================================
> --- refpolicy-2.20220106.orig/policy/modules/services/dbus.te
> +++ refpolicy-2.20220106/policy/modules/services/dbus.te
> @@ -71,6 +71,10 @@ ifdef(`enable_mls',`
>   # Local policy
>   #
>   
> +ifdef(`hide_broken_symptoms',`
> +# for changing buffer sizes
> +dontaudit system_dbusd_t self:capability net_admin;
> +')
>   allow system_dbusd_t self:capability { dac_override setgid setpcap setuid sys_resource };
>   dontaudit system_dbusd_t self:capability sys_tty_config;
>   allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap setrlimit };
> Index: refpolicy-2.20220106/policy/modules/services/policykit.te
> ===================================================================
> --- refpolicy-2.20220106.orig/policy/modules/services/policykit.te
> +++ refpolicy-2.20220106/policy/modules/services/policykit.te
> @@ -68,6 +68,10 @@ miscfiles_read_localization(policykit_do
>   # Local policy
>   #
>   
> +ifdef(`hide_broken_symptoms',`
> +# for changing buffer sizes
> +dontaudit policykit_t self:capability net_admin;
> +')
>   allow policykit_t self:capability { dac_override dac_read_search setgid setuid sys_nice sys_ptrace };
>   allow policykit_t self:process { getsched setsched signal };
>   allow policykit_t self:unix_stream_socket { accept connectto listen };
> Index: refpolicy-2.20220106/policy/modules/services/postfix.te
> ===================================================================
> --- refpolicy-2.20220106.orig/policy/modules/services/postfix.te
> +++ refpolicy-2.20220106/policy/modules/services/postfix.te
> @@ -107,6 +107,10 @@ mta_mailserver_delivery(postfix_virtual_
>   # Common postfix domain local policy
>   #
>   
> +ifdef(`hide_broken_symptoms',`
> +# for changing buffer sizes
> +dontaudit postfix_domain self:capability net_admin;
> +')
>   allow postfix_domain self:capability { sys_chroot sys_nice };
>   dontaudit postfix_domain self:capability sys_tty_config;
>   allow postfix_domain self:process { signal_perms setpgid setsched };


-- 
Chris PeBenito

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-02-16 11:55 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-02-13 10:22 [PATCH] dontaudit net_admin Russell Coker
2022-02-16 11:40 ` Chris PeBenito

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).