Re: [refpolicy][PATCH] udev: allow udevadmin to extend socket recv buffer

Re: [refpolicy][PATCH] udev: allow udevadmin to extend socket recv buffer

[Chris PeBenito]

On 8/7/2025 1:58 AM, Virendra Thakur wrote:
> Upstream systemd commit [eba449fa81f6] (PR #29872) modifies udevadm-trigger
> and sd-device-monitor to unconditionally increase the receive buffer size
> on netlink sockets. This helps avoid failures under high event loads,
> 
> References:
> - https://github.com/systemd/systemd/pull/29872
> 
> To support this in SELinux, Allow udevadm to use CAP_NET_ADMIN to extend
> the socket receive buffer to hold more events.
> 
> Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
> Signed-off-by: Virendra Thakur <thakur.virendra1810@gmail.com>
> ---
>   policy/modules/system/udev.te | 1 +
>   1 file changed, 1 insertion(+)
> 
> diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
> index e245a66a4..911121771 100644
> --- a/policy/modules/system/udev.te
> +++ b/policy/modules/system/udev.te
> @@ -406,6 +406,7 @@ optional_policy(`
>   allow udevadm_t self:capability dac_read_search;
>   allow udevadm_t self:netlink_kobject_uevent_socket create_socket_perms;
>   allow udevadm_t self:unix_stream_socket create_socket_perms;
> +allow udevadm_t self:capability { net_admin };
>   
>   stream_connect_pattern(udevadm_t, udev_runtime_t, udev_runtime_t, udev_t)

Please put the permission on the same line as the existing 
dac_read_search capability.

-- 
Chris PeBenito

Re: [refpolicy][PATCH] udev: allow udevadmin to extend socket recv buffer

[Russell Coker]

On Thursday, 7 August 2025 23:57:34 AEST Chris PeBenito wrote:
> On 8/7/2025 1:58 AM, Virendra Thakur wrote:
> > Upstream systemd commit [eba449fa81f6] (PR #29872) modifies
> > udevadm-trigger
> > and sd-device-monitor to unconditionally increase the receive buffer size
> > on netlink sockets. This helps avoid failures under high event loads,
> > 
> > References:
> > - https://github.com/systemd/systemd/pull/29872
> > 
> > To support this in SELinux, Allow udevadm to use CAP_NET_ADMIN to extend
> > the socket receive buffer to hold more events.
> > 
> > Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
> > Signed-off-by: Virendra Thakur <thakur.virendra1810@gmail.com>
> > ---
> > 
> >   policy/modules/system/udev.te | 1 +
> >   1 file changed, 1 insertion(+)
> > 
> > diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
> > index e245a66a4..911121771 100644
> > --- a/policy/modules/system/udev.te
> > +++ b/policy/modules/system/udev.te
> > @@ -406,6 +406,7 @@ optional_policy(`
> > 
> >   allow udevadm_t self:capability dac_read_search;
> >   allow udevadm_t self:netlink_kobject_uevent_socket create_socket_perms;
> >   allow udevadm_t self:unix_stream_socket create_socket_perms;
> > 
> > +allow udevadm_t self:capability { net_admin };
> > 
> >   stream_connect_pattern(udevadm_t, udev_runtime_t, udev_runtime_t,
> >   udev_t)
> 
> Please put the permission on the same line as the existing
> dac_read_search capability.

Please put a comment in the te file about this to make it clear it's not just 
another of the systemd daemons needlessly changing buffer sizes.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/