From 997b61a104f916f9883d5dfdc2e3510ecc7f3d61 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <pebenito@ieee.org>
Date: Sat, 25 Mar 2017 12:31:20 -0400
Subject: dontaudit net_admin for SO_SNDBUFFORCE

The following patch adds dontaudit rules for where the net_admin capability
is requested due to SO_SNDBUFFORCE.  This forces the caller to use SO_SNDBUF
which gives the same result but possibly a smaller buffer.

From Russell Coker
---
 policy/modules/contrib/rpcbind.te | 4 +++-
 policy/modules/contrib/tor.te     | 4 +++-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/policy/modules/contrib/rpcbind.te b/policy/modules/contrib/rpcbind.te
index 8e7522654..abe55b181 100644
--- a/policy/modules/contrib/rpcbind.te
+++ b/policy/modules/contrib/rpcbind.te
@@ -1,4 +1,4 @@
-policy_module(rpcbind, 1.11.1)
+policy_module(rpcbind, 1.11.2)
 
 ########################################
 #
@@ -26,6 +26,8 @@ files_type(rpcbind_var_lib_t)
 #
 
 allow rpcbind_t self:capability { dac_override setgid setuid sys_tty_config };
+# net_admin is for SO_SNDBUFFORCE
+dontaudit rpcbind_t self:capability net_admin;
 allow rpcbind_t self:fifo_file rw_fifo_file_perms;
 allow rpcbind_t self:unix_stream_socket { accept listen };
 allow rpcbind_t self:tcp_socket { accept listen };
diff --git a/policy/modules/contrib/tor.te b/policy/modules/contrib/tor.te
index a68e5d9ee..3b48ba5ec 100644
--- a/policy/modules/contrib/tor.te
+++ b/policy/modules/contrib/tor.te
@@ -1,4 +1,4 @@
-policy_module(tor, 1.13.1)
+policy_module(tor, 1.13.2)
 
 ########################################
 #
@@ -42,6 +42,8 @@ init_daemon_pid_file(tor_var_run_t, dir, "tor")
 #
 
 allow tor_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid sys_tty_config };
+# net_admin is for SO_SNDBUFFORCE
+dontaudit tor_t self:capability net_admin;
 allow tor_t self:process signal;
 allow tor_t self:fifo_file rw_fifo_file_perms;
 allow tor_t self:unix_stream_socket { accept listen };
-- 
cgit v1.2.3-65-gdbad