From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from smtp.sws.net.au (smtp.sws.net.au [144.76.186.9])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id BB5A719DF4D
	for <selinux-refpolicy@vger.kernel.org>; Thu,  7 Aug 2025 14:08:25 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=144.76.186.9
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1754575708; cv=none; b=FdSDzGYwiCKV6/6JrbqYRt3IkuP4qZlIrOS2YQZHPTybKZLdPIjiDh1MMXmpz9lbpLG596jalmvlw1TG0e/gXDsF4sOJaQ2F4M58kY4/ILfCZm2RP6De271SYZt8NZmpar7cz2zYjlMlDPj3MgaSQLw+hVj61Y8bZEGSWJJrOfY=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1754575708; c=relaxed/simple;
	bh=qCGgfxZCbtiUjIaT6FyDiKDzIPAVLyBcoiG26JK4JOY=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version:Content-Type; b=Hb8YRBCYyeNn5BcsW8uu0VCV/QWz64NHbcfJv18ggHPeBajcvCZguPTlJ1tFa9V4/ZcbOqXd7Fs5aZw7G1mehY3Cex4t39VuOYCw43mjTCQpOrxUqJtdN8yOLYskfdvWS7M+6Dgn7StlMhK/OkkDszkkTs8TVIZcrvpoDlpg/xk=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=coker.com.au; spf=pass smtp.mailfrom=coker.com.au; dkim=pass (1024-bit key) header.d=coker.com.au header.i=@coker.com.au header.b=J7kE8UFX; arc=none smtp.client-ip=144.76.186.9
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=coker.com.au
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=coker.com.au
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=coker.com.au header.i=@coker.com.au header.b="J7kE8UFX"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au;
	s=2008; t=1754575697;
	bh=uTzii81iFRaE47a3G4IeOrj5QDTGQxWfn9pDvb676hQ=; l=1719;
	h=From:To:Reply-To:Cc:Subject:Date:In-Reply-To:References:From;
	b=J7kE8UFX5AVmDApoVtG/NnpMjVSxa+knULg9eD8NAmJ5ZILLWEkljFGyELmP0cDPf
	 G9OV7ylpi1kPdU9Zblhg2PotguU/hUixFLDhhGvnvpyyuxVfHiZODg3NyYVDL1jLTy
	 vPj7L0kd25HAA7+n3TZ9inJV2LPeHotnBgSQQihg=
Received: from xev.localnet (n175-33-172-140.sun22.vic.optusnet.com.au [175.33.172.140])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange x25519 server-signature ECDSA (prime256v1) server-digest SHA256)
	(No client certificate requested)
	(Authenticated sender: russell@coker.com.au)
	by smtp.sws.net.au (Postfix) with ESMTPSA id D7D91EBF6;
	Fri, 08 Aug 2025 00:08:13 +1000 (AEST)
From: Russell Coker <russell@coker.com.au>
To: Virendra Thakur <thakur.virendra1810@gmail.com>, Akash.Hadke@kpit.com,
 Chris PeBenito <pebenito@ieee.org>
Reply-To: russell@coker.com.au
Cc: Virendra Thakur <virendra.thakur@kpit.com>,
 SELinux Reference Policy mailing list <selinux-refpolicy@vger.kernel.org>
Subject:
 Re: [refpolicy][PATCH] udev: allow udevadmin to extend socket recv buffer
Date: Fri, 08 Aug 2025 00:08:01 +1000
Message-ID: <2291363.6tgchFWduM@xev>
In-Reply-To: <e07b0c40-3f37-4e0b-b74d-ce5d90518245@ieee.org>
References:
 <20250807055834.83153-1-thakur.virendra1810@gmail.com>
 <e07b0c40-3f37-4e0b-b74d-ce5d90518245@ieee.org>
Precedence: bulk
X-Mailing-List: selinux-refpolicy@vger.kernel.org
List-Id: <selinux-refpolicy.vger.kernel.org>
List-Subscribe: <mailto:selinux-refpolicy+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:selinux-refpolicy+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="utf-8"

On Thursday, 7 August 2025 23:57:34 AEST Chris PeBenito wrote:
> On 8/7/2025 1:58 AM, Virendra Thakur wrote:
> > Upstream systemd commit [eba449fa81f6] (PR #29872) modifies
> > udevadm-trigger
> > and sd-device-monitor to unconditionally increase the receive buffer size
> > on netlink sockets. This helps avoid failures under high event loads,
> > 
> > References:
> > - https://github.com/systemd/systemd/pull/29872
> > 
> > To support this in SELinux, Allow udevadm to use CAP_NET_ADMIN to extend
> > the socket receive buffer to hold more events.
> > 
> > Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
> > Signed-off-by: Virendra Thakur <thakur.virendra1810@gmail.com>
> > ---
> > 
> >   policy/modules/system/udev.te | 1 +
> >   1 file changed, 1 insertion(+)
> > 
> > diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
> > index e245a66a4..911121771 100644
> > --- a/policy/modules/system/udev.te
> > +++ b/policy/modules/system/udev.te
> > @@ -406,6 +406,7 @@ optional_policy(`
> > 
> >   allow udevadm_t self:capability dac_read_search;
> >   allow udevadm_t self:netlink_kobject_uevent_socket create_socket_perms;
> >   allow udevadm_t self:unix_stream_socket create_socket_perms;
> > 
> > +allow udevadm_t self:capability { net_admin };
> > 
> >   stream_connect_pattern(udevadm_t, udev_runtime_t, udev_runtime_t,
> >   udev_t)
> 
> Please put the permission on the same line as the existing
> dac_read_search capability.

Please put a comment in the te file about this to make it clear it's not just 
another of the systemd daemons needlessly changing buffer sizes.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/