From: Russell Coker <russell@coker.com.au>
To: Virendra Thakur <thakur.virendra1810@gmail.com>,
Akash.Hadke@kpit.com, Chris PeBenito <pebenito@ieee.org>
Cc: Virendra Thakur <virendra.thakur@kpit.com>,
SELinux Reference Policy mailing list
<selinux-refpolicy@vger.kernel.org>
Subject: Re: [refpolicy][PATCH] udev: allow udevadmin to extend socket recv buffer
Date: Fri, 08 Aug 2025 00:08:01 +1000 [thread overview]
Message-ID: <2291363.6tgchFWduM@xev> (raw)
In-Reply-To: <e07b0c40-3f37-4e0b-b74d-ce5d90518245@ieee.org>
On Thursday, 7 August 2025 23:57:34 AEST Chris PeBenito wrote:
> On 8/7/2025 1:58 AM, Virendra Thakur wrote:
> > Upstream systemd commit [eba449fa81f6] (PR #29872) modifies
> > udevadm-trigger
> > and sd-device-monitor to unconditionally increase the receive buffer size
> > on netlink sockets. This helps avoid failures under high event loads,
> >
> > References:
> > - https://github.com/systemd/systemd/pull/29872
> >
> > To support this in SELinux, Allow udevadm to use CAP_NET_ADMIN to extend
> > the socket receive buffer to hold more events.
> >
> > Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
> > Signed-off-by: Virendra Thakur <thakur.virendra1810@gmail.com>
> > ---
> >
> > policy/modules/system/udev.te | 1 +
> > 1 file changed, 1 insertion(+)
> >
> > diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
> > index e245a66a4..911121771 100644
> > --- a/policy/modules/system/udev.te
> > +++ b/policy/modules/system/udev.te
> > @@ -406,6 +406,7 @@ optional_policy(`
> >
> > allow udevadm_t self:capability dac_read_search;
> > allow udevadm_t self:netlink_kobject_uevent_socket create_socket_perms;
> > allow udevadm_t self:unix_stream_socket create_socket_perms;
> >
> > +allow udevadm_t self:capability { net_admin };
> >
> > stream_connect_pattern(udevadm_t, udev_runtime_t, udev_runtime_t,
> > udev_t)
>
> Please put the permission on the same line as the existing
> dac_read_search capability.
Please put a comment in the te file about this to make it clear it's not just
another of the systemd daemons needlessly changing buffer sizes.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
prev parent reply other threads:[~2025-08-07 14:08 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20250807055834.83153-1-thakur.virendra1810@gmail.com>
2025-08-07 13:57 ` [refpolicy][PATCH] udev: allow udevadmin to extend socket recv buffer Chris PeBenito
2025-08-07 14:08 ` Russell Coker [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2291363.6tgchFWduM@xev \
--to=russell@coker.com.au \
--cc=Akash.Hadke@kpit.com \
--cc=pebenito@ieee.org \
--cc=selinux-refpolicy@vger.kernel.org \
--cc=thakur.virendra1810@gmail.com \
--cc=virendra.thakur@kpit.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.