* Re: [refpolicy][PATCH] udev: allow udevadmin to extend socket recv buffer [not found] <20250807055834.83153-1-thakur.virendra1810@gmail.com> @ 2025-08-07 13:57 ` Chris PeBenito 2025-08-07 14:08 ` Russell Coker 0 siblings, 1 reply; 2+ messages in thread From: Chris PeBenito @ 2025-08-07 13:57 UTC (permalink / raw) To: Virendra Thakur, Akash.Hadke Cc: Virendra Thakur, SELinux Reference Policy mailing list On 8/7/2025 1:58 AM, Virendra Thakur wrote: > Upstream systemd commit [eba449fa81f6] (PR #29872) modifies udevadm-trigger > and sd-device-monitor to unconditionally increase the receive buffer size > on netlink sockets. This helps avoid failures under high event loads, > > References: > - https://github.com/systemd/systemd/pull/29872 > > To support this in SELinux, Allow udevadm to use CAP_NET_ADMIN to extend > the socket receive buffer to hold more events. > > Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com> > Signed-off-by: Virendra Thakur <thakur.virendra1810@gmail.com> > --- > policy/modules/system/udev.te | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te > index e245a66a4..911121771 100644 > --- a/policy/modules/system/udev.te > +++ b/policy/modules/system/udev.te > @@ -406,6 +406,7 @@ optional_policy(` > allow udevadm_t self:capability dac_read_search; > allow udevadm_t self:netlink_kobject_uevent_socket create_socket_perms; > allow udevadm_t self:unix_stream_socket create_socket_perms; > +allow udevadm_t self:capability { net_admin }; > > stream_connect_pattern(udevadm_t, udev_runtime_t, udev_runtime_t, udev_t) Please put the permission on the same line as the existing dac_read_search capability. -- Chris PeBenito ^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [refpolicy][PATCH] udev: allow udevadmin to extend socket recv buffer 2025-08-07 13:57 ` [refpolicy][PATCH] udev: allow udevadmin to extend socket recv buffer Chris PeBenito @ 2025-08-07 14:08 ` Russell Coker 0 siblings, 0 replies; 2+ messages in thread From: Russell Coker @ 2025-08-07 14:08 UTC (permalink / raw) To: Virendra Thakur, Akash.Hadke, Chris PeBenito Cc: Virendra Thakur, SELinux Reference Policy mailing list On Thursday, 7 August 2025 23:57:34 AEST Chris PeBenito wrote: > On 8/7/2025 1:58 AM, Virendra Thakur wrote: > > Upstream systemd commit [eba449fa81f6] (PR #29872) modifies > > udevadm-trigger > > and sd-device-monitor to unconditionally increase the receive buffer size > > on netlink sockets. This helps avoid failures under high event loads, > > > > References: > > - https://github.com/systemd/systemd/pull/29872 > > > > To support this in SELinux, Allow udevadm to use CAP_NET_ADMIN to extend > > the socket receive buffer to hold more events. > > > > Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com> > > Signed-off-by: Virendra Thakur <thakur.virendra1810@gmail.com> > > --- > > > > policy/modules/system/udev.te | 1 + > > 1 file changed, 1 insertion(+) > > > > diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te > > index e245a66a4..911121771 100644 > > --- a/policy/modules/system/udev.te > > +++ b/policy/modules/system/udev.te > > @@ -406,6 +406,7 @@ optional_policy(` > > > > allow udevadm_t self:capability dac_read_search; > > allow udevadm_t self:netlink_kobject_uevent_socket create_socket_perms; > > allow udevadm_t self:unix_stream_socket create_socket_perms; > > > > +allow udevadm_t self:capability { net_admin }; > > > > stream_connect_pattern(udevadm_t, udev_runtime_t, udev_runtime_t, > > udev_t) > > Please put the permission on the same line as the existing > dac_read_search capability. Please put a comment in the te file about this to make it clear it's not just another of the systemd daemons needlessly changing buffer sizes. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/ ^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2025-08-07 14:08 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <20250807055834.83153-1-thakur.virendra1810@gmail.com>
2025-08-07 13:57 ` [refpolicy][PATCH] udev: allow udevadmin to extend socket recv buffer Chris PeBenito
2025-08-07 14:08 ` Russell Coker
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).