On 1/4/19 8:31 PM, Russell Coker wrote:
allow crond_t self:capability net_admin;
allow policykit_t self:capability net_admin;
allow postfix_cleanup_t self:capability net_admin;
allow postfix_master_t self:capability net_admin;
allow postfix_pickup_t self:capability net_admin;
allow postfix_qmgr_t self:capability net_admin;
allow postfix_smtp_t self:capability net_admin;
allow system_dbusd_t self:capability net_admin;
Above are some of the output from audit2allow on my laptop running the latest
Debian/Unstable.
Seems that some recent library changes have made lots of programs try to
change socket buffer sizes in a way that requires net_admin. This isn't a
sudden thing, it's been slowly increasing over time.
/* Allow interface configuration */
/* Allow administration of IP firewall, masquerading and accounting */
/* Allow setting debug option on sockets */
/* Allow modification of routing tables */
/* Allow setting arbitrary process / process group ownership on
sockets */
/* Allow binding to any address for transparent proxying (also via NET_RAW) */
/* Allow setting TOS (type of service) */
/* Allow setting promiscuous mode */
/* Allow clearing driver statistics */
/* Allow multicasting */
/* Allow read/write of device-specific registers */
/* Allow activation of ATM control sockets */
#define CAP_NET_ADMIN 12
Above from capability.h has the list of things that net_admin might be for. I
don't know what the debug option on sockets is or the process/process group
ownership. Setting TOS and multicast are things that many root owned
processes might want to do. I've been hesitant to put in dontaudit rules
because there are many programs like the Postfix master process which might
have a legitimate need for debug mode, process ownership, or TOS.
Below are some of the audit log analysis of denials for setting buffer size.
Those programs work ok without it.
Should we have a tunable for dontauditing this?
I'm not a fan of a tunable, as it seems like unnecessary overhead. If
anything I'd put it under the hide_broken_symptoms build option.
--
Chris PeBenito
