commit:     997b61a104f916f9883d5dfdc2e3510ecc7f3d61
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Mar 25 16:31:20 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Mar 30 14:00:10 2017 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=997b61a1

dontaudit net_admin for SO_SNDBUFFORCE

The following patch adds dontaudit rules for where the net_admin capability
is requested due to SO_SNDBUFFORCE.  This forces the caller to use SO_SNDBUF
which gives the same result but possibly a smaller buffer.

>From Russell Coker

 policy/modules/contrib/rpcbind.te | 4 +++-
 policy/modules/contrib/tor.te     | 4 +++-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/policy/modules/contrib/rpcbind.te 
b/policy/modules/contrib/rpcbind.te
index 8e752265..abe55b18 100644
--- a/policy/modules/contrib/rpcbind.te
+++ b/policy/modules/contrib/rpcbind.te
@@ -1,4 +1,4 @@
-policy_module(rpcbind, 1.11.1)
+policy_module(rpcbind, 1.11.2)
 
 ########################################
 #
@@ -26,6 +26,8 @@ files_type(rpcbind_var_lib_t)
 #
 
 allow rpcbind_t self:capability { dac_override setgid setuid sys_tty_config };
+# net_admin is for SO_SNDBUFFORCE
+dontaudit rpcbind_t self:capability net_admin;
 allow rpcbind_t self:fifo_file rw_fifo_file_perms;
 allow rpcbind_t self:unix_stream_socket { accept listen };
 allow rpcbind_t self:tcp_socket { accept listen };

diff --git a/policy/modules/contrib/tor.te b/policy/modules/contrib/tor.te
index a68e5d9e..3b48ba5e 100644
--- a/policy/modules/contrib/tor.te
+++ b/policy/modules/contrib/tor.te
@@ -1,4 +1,4 @@
-policy_module(tor, 1.13.1)
+policy_module(tor, 1.13.2)
 
 ########################################
 #
@@ -42,6 +42,8 @@ init_daemon_pid_file(tor_var_run_t, dir, "tor")
 #
 
 allow tor_t self:capability { chown dac_override dac_read_search fowner fsetid 
setgid setuid sys_tty_config };
+# net_admin is for SO_SNDBUFFORCE
+dontaudit tor_t self:capability net_admin;
 allow tor_t self:process signal;
 allow tor_t self:fifo_file rw_fifo_file_perms;
 allow tor_t self:unix_stream_socket { accept listen };

Reply via email to