Re: [PATCH] dontaudit net_admin without hide_broken_symptoms

SELinux-Refpolicy Archive mirror
 help / color / mirror / Atom feed

From: Chris PeBenito <pebenito@ieee.org>
To: Russell Coker <russell@coker.com.au>, selinux-refpolicy@vger.kernel.org
Subject: Re: [PATCH] dontaudit net_admin without hide_broken_symptoms
Date: Wed, 16 Feb 2022 11:07:26 -0500	[thread overview]
Message-ID: <d3fecfba-53e9-06d2-0618-b585057d0baf@ieee.org> (raw)
In-Reply-To: <Ygz3EsQcUwfprPD7@xev.coker.com.au>

On 2/16/22 08:07, Russell Coker wrote:
> Sending this patch again without the ifdef, I agree that the ifdef isn't very
> useful nowadays.
> 
> Signed-off-by: Russell Coker <russell@coker.com.au>
> 
> Index: refpolicy-2.20220216/policy/modules/services/cron.te
> ===================================================================
> --- refpolicy-2.20220216.orig/policy/modules/services/cron.te
> +++ refpolicy-2.20220216/policy/modules/services/cron.te
> @@ -172,6 +172,8 @@ tunable_policy(`fcron_crond',`
>   # Daemon local policy
>   #
>   
> +# for changing buffer sizes
> +dontaudit crond_t self:capability net_admin;
>   allow crond_t self:capability { chown dac_override dac_read_search fowner setgid setuid sys_nice sys_resource };
>   dontaudit crond_t self:capability { sys_tty_config };
>   
> Index: refpolicy-2.20220216/policy/modules/services/dbus.te
> ===================================================================
> --- refpolicy-2.20220216.orig/policy/modules/services/dbus.te
> +++ refpolicy-2.20220216/policy/modules/services/dbus.te
> @@ -67,6 +67,8 @@ ifdef(`enable_mls',`
>   # Local policy
>   #
>   
> +# for changing buffer sizes
> +dontaudit system_dbusd_t self:capability net_admin;
>   allow system_dbusd_t self:capability { dac_override setgid setpcap setuid sys_resource };
>   dontaudit system_dbusd_t self:capability sys_tty_config;
>   allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap setrlimit };
> Index: refpolicy-2.20220216/policy/modules/services/policykit.te
> ===================================================================
> --- refpolicy-2.20220216.orig/policy/modules/services/policykit.te
> +++ refpolicy-2.20220216/policy/modules/services/policykit.te
> @@ -68,6 +68,8 @@ miscfiles_read_localization(policykit_do
>   # Local policy
>   #
>   
> +# for changing buffer sizes
> +dontaudit policykit_t self:capability net_admin;
>   allow policykit_t self:capability { dac_override dac_read_search setgid setuid sys_nice sys_ptrace };
>   allow policykit_t self:process { getsched setsched signal };
>   allow policykit_t self:unix_stream_socket { accept connectto listen };
> Index: refpolicy-2.20220216/policy/modules/services/postfix.te
> ===================================================================
> --- refpolicy-2.20220216.orig/policy/modules/services/postfix.te
> +++ refpolicy-2.20220216/policy/modules/services/postfix.te
> @@ -107,6 +107,8 @@ mta_mailserver_delivery(postfix_virtual_
>   # Common postfix domain local policy
>   #
>   
> +# for changing buffer sizes
> +dontaudit postfix_domain self:capability net_admin;
>   allow postfix_domain self:capability { sys_chroot sys_nice };
>   dontaudit postfix_domain self:capability sys_tty_config;
>   allow postfix_domain self:process { signal_perms setpgid setsched };

Merged.

-- 
Chris PeBenito

     prev parent reply	other threads:[~2022-02-16 16:07 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-02-16 13:07 [PATCH] dontaudit net_admin without hide_broken_symptoms Russell Coker
2022-02-16 16:07 ` Chris PeBenito [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=d3fecfba-53e9-06d2-0618-b585057d0baf@ieee.org \
    --to=pebenito@ieee.org \
    --cc=russell@coker.com.au \
    --cc=selinux-refpolicy@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).