From 43f197494a30c57499250df79f56bf1cb2aa3edb Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Sat, 25 Mar 2017 12:32:01 -0400 Subject: [PATCH] dontaudit net_admin for SO_SNDBUFFORCE The following patch adds dontaudit rules for where the net_admin capability is requested due to SO_SNDBUFFORCE. This forces the caller to use SO_SNDBUF which gives the same result but possibly a smaller buffer. From Russell Coker --- policy/modules/contrib | 2 +- policy/modules/services/ssh.if | 2 ++ policy/modules/services/ssh.te | 2 +- 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/policy/modules/contrib b/policy/modules/contrib index 2bd846e32..2c507992a 160000 --- a/policy/modules/contrib +++ b/policy/modules/contrib @@ -1 +1 @@ -Subproject commit 2bd846e32b0634be6414299a106dffb5edb1b4a0 +Subproject commit 2c507992a931d3afa2b19d9dd8ce5d91368a46f6 diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if index eb7fdceb0..21374c77e 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if @@ -182,6 +182,8 @@ template(`ssh_server_template', ` files_pid_file($1_var_run_t) allow $1_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_chroot sys_nice sys_resource sys_tty_config }; + # net_admin is for SO_SNDBUFFORCE + dontaudit $1_t self:capability net_admin; allow $1_t self:fifo_file rw_fifo_file_perms; allow $1_t self:process { signal getsched setsched setrlimit setexec setkeycreate }; allow $1_t self:tcp_socket create_stream_socket_perms; diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te index 69d0a1d46..13e9a7388 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -1,4 +1,4 @@ -policy_module(ssh, 2.9.1) +policy_module(ssh, 2.9.2) ######################################## #