On 2/13/22 05:22, Russell Coker wrote:
This patch has dontaudit rules for some net_admin accesses that are from
changing buffer sizes. The programs in question work fine like this.
I think this is worthy of inclusion.
Signed-off-by: Russell Coker <russell@xxxxxxxxxxxx>
I'm onboard with the rule additions but am unsure on the the broken symptoms. I
I'm unsure having that block has real value, since it's always on and I've never
heard anyone turning it off.
Index: refpolicy-2.20220106/policy/modules/services/cron.te
===================================================================
--- refpolicy-2.20220106.orig/policy/modules/services/cron.te
+++ refpolicy-2.20220106/policy/modules/services/cron.te
@@ -176,6 +176,10 @@ tunable_policy(`fcron_crond',`
# Daemon local policy
#
+ifdef(`hide_broken_symptoms',`
+# for changing buffer sizes
+dontaudit crond_t self:capability net_admin;
+')
allow crond_t self:capability { chown dac_override dac_read_search fowner setgid setuid sys_nice sys_resource };
dontaudit crond_t self:capability { sys_tty_config };
Index: refpolicy-2.20220106/policy/modules/services/dbus.te
===================================================================
--- refpolicy-2.20220106.orig/policy/modules/services/dbus.te
+++ refpolicy-2.20220106/policy/modules/services/dbus.te
@@ -71,6 +71,10 @@ ifdef(`enable_mls',`
# Local policy
#
+ifdef(`hide_broken_symptoms',`
+# for changing buffer sizes
+dontaudit system_dbusd_t self:capability net_admin;
+')
allow system_dbusd_t self:capability { dac_override setgid setpcap setuid sys_resource };
dontaudit system_dbusd_t self:capability sys_tty_config;
allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap setrlimit };
Index: refpolicy-2.20220106/policy/modules/services/policykit.te
===================================================================
--- refpolicy-2.20220106.orig/policy/modules/services/policykit.te
+++ refpolicy-2.20220106/policy/modules/services/policykit.te
@@ -68,6 +68,10 @@ miscfiles_read_localization(policykit_do
# Local policy
#
+ifdef(`hide_broken_symptoms',`
+# for changing buffer sizes
+dontaudit policykit_t self:capability net_admin;
+')
allow policykit_t self:capability { dac_override dac_read_search setgid setuid sys_nice sys_ptrace };
allow policykit_t self:process { getsched setsched signal };
allow policykit_t self:unix_stream_socket { accept connectto listen };
Index: refpolicy-2.20220106/policy/modules/services/postfix.te
===================================================================
--- refpolicy-2.20220106.orig/policy/modules/services/postfix.te
+++ refpolicy-2.20220106/policy/modules/services/postfix.te
@@ -107,6 +107,10 @@ mta_mailserver_delivery(postfix_virtual_
# Common postfix domain local policy
#
+ifdef(`hide_broken_symptoms',`
+# for changing buffer sizes
+dontaudit postfix_domain self:capability net_admin;
+')
allow postfix_domain self:capability { sys_chroot sys_nice };
dontaudit postfix_domain self:capability sys_tty_config;
allow postfix_domain self:process { signal_perms setpgid setsched };
--
Chris PeBenito
