dontaudit net_admin for SO_SNDBUFFORCE

The following patch adds dontaudit rules for where the net_admin capability
is requested due to SO_SNDBUFFORCE.  This forces the caller to use SO_SNDBUF
which gives the same result but possibly a smaller buffer.

From Russell Coker

2 files changed, 6 insertions, 2 deletions

diff --git a/policy/modules/contrib/rpcbind.te b/policy/modules/contrib/rpcbind.te
index 8e752265..abe55b18 100644
--- a/policy/modules/contrib/rpcbind.te
+++ b/policy/modules/contrib/rpcbind.te
@@ -1,4 +1,4 @@
-policy_module(rpcbind, 1.11.1)
+policy_module(rpcbind, 1.11.2)
 
 ########################################
 #
@@ -26,6 +26,8 @@ files_type(rpcbind_var_lib_t)
 #
 
 allow rpcbind_t self:capability { dac_override setgid setuid sys_tty_config };
+# net_admin is for SO_SNDBUFFORCE
+dontaudit rpcbind_t self:capability net_admin;
 allow rpcbind_t self:fifo_file rw_fifo_file_perms;
 allow rpcbind_t self:unix_stream_socket { accept listen };
 allow rpcbind_t self:tcp_socket { accept listen };
diff --git a/policy/modules/contrib/tor.te b/policy/modules/contrib/tor.te
index a68e5d9e..3b48ba5e 100644
--- a/policy/modules/contrib/tor.te
+++ b/policy/modules/contrib/tor.te
@@ -1,4 +1,4 @@
-policy_module(tor, 1.13.1)
+policy_module(tor, 1.13.2)
 
 ########################################
 #
@@ -42,6 +42,8 @@ init_daemon_pid_file(tor_var_run_t, dir, "tor")
 #
 
 allow tor_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid sys_tty_config };
+# net_admin is for SO_SNDBUFFORCE
+dontaudit tor_t self:capability net_admin;
 allow tor_t self:process signal;
 allow tor_t self:fifo_file rw_fifo_file_perms;
 allow tor_t self:unix_stream_socket { accept listen };