From: Russell Coker <russell@coker.com.au>
To: selinux-refpolicy@vger.kernel.org
Subject: [PATCH] dontaudit net_admin without hide_broken_symptoms
Date: Thu, 17 Feb 2022 00:07:30 +1100 [thread overview]
Message-ID: <Ygz3EsQcUwfprPD7@xev.coker.com.au> (raw)
Sending this patch again without the ifdef, I agree that the ifdef isn't very
useful nowadays.
Signed-off-by: Russell Coker <russell@coker.com.au>
Index: refpolicy-2.20220216/policy/modules/services/cron.te
===================================================================
--- refpolicy-2.20220216.orig/policy/modules/services/cron.te
+++ refpolicy-2.20220216/policy/modules/services/cron.te
@@ -172,6 +172,8 @@ tunable_policy(`fcron_crond',`
# Daemon local policy
#
+# for changing buffer sizes
+dontaudit crond_t self:capability net_admin;
allow crond_t self:capability { chown dac_override dac_read_search fowner setgid setuid sys_nice sys_resource };
dontaudit crond_t self:capability { sys_tty_config };
Index: refpolicy-2.20220216/policy/modules/services/dbus.te
===================================================================
--- refpolicy-2.20220216.orig/policy/modules/services/dbus.te
+++ refpolicy-2.20220216/policy/modules/services/dbus.te
@@ -67,6 +67,8 @@ ifdef(`enable_mls',`
# Local policy
#
+# for changing buffer sizes
+dontaudit system_dbusd_t self:capability net_admin;
allow system_dbusd_t self:capability { dac_override setgid setpcap setuid sys_resource };
dontaudit system_dbusd_t self:capability sys_tty_config;
allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap setrlimit };
Index: refpolicy-2.20220216/policy/modules/services/policykit.te
===================================================================
--- refpolicy-2.20220216.orig/policy/modules/services/policykit.te
+++ refpolicy-2.20220216/policy/modules/services/policykit.te
@@ -68,6 +68,8 @@ miscfiles_read_localization(policykit_do
# Local policy
#
+# for changing buffer sizes
+dontaudit policykit_t self:capability net_admin;
allow policykit_t self:capability { dac_override dac_read_search setgid setuid sys_nice sys_ptrace };
allow policykit_t self:process { getsched setsched signal };
allow policykit_t self:unix_stream_socket { accept connectto listen };
Index: refpolicy-2.20220216/policy/modules/services/postfix.te
===================================================================
--- refpolicy-2.20220216.orig/policy/modules/services/postfix.te
+++ refpolicy-2.20220216/policy/modules/services/postfix.te
@@ -107,6 +107,8 @@ mta_mailserver_delivery(postfix_virtual_
# Common postfix domain local policy
#
+# for changing buffer sizes
+dontaudit postfix_domain self:capability net_admin;
allow postfix_domain self:capability { sys_chroot sys_nice };
dontaudit postfix_domain self:capability sys_tty_config;
allow postfix_domain self:process { signal_perms setpgid setsched };
next reply other threads:[~2022-02-16 13:07 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-02-16 13:07 Russell Coker [this message]
2022-02-16 16:07 ` [PATCH] dontaudit net_admin without hide_broken_symptoms Chris PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Ygz3EsQcUwfprPD7@xev.coker.com.au \
--to=russell@coker.com.au \
--cc=selinux-refpolicy@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).