Christian Boltz schrieb am Wed 17. Aug, 20:47 (+0200): > Hello, > > denials for capabilty net_admin are often a sign that a service uses > systemd libraries on startup, and these systemd libraries do funny[tm] > things. In these cases the net_admin capability is not really needed. Hi, yes, you are right. Systemd is the culprit. This is the call leading to the audit message: ``` text 81641 09:05:48.607647 setsockopt(12<socket:[1138186]>, SOL_SOCKET, SO_SNDBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) <0.000020> > /usr/lib/x86_64-linux-gnu/libc.so.6(setsockopt+0xa) [0x10b59a] > /usr/lib/x86_64-linux-gnu/libsystemd.so.0.34.0(sd_machine_get_ifindices+0x104c1) [0x90ec1] > /usr/lib/x86_64-linux-gnu/libsystemd.so.0.34.0(sd_pid_notify_with_fds+0x1ae) [0x6ebfe] > /usr/lib/x86_64-linux-gnu/libsystemd.so.0.34.0(sd_notifyf+0xd8) [0x6f328] > /usr/sbin/cupsd() [0xc130] > /usr/lib/x86_64-linux-gnu/libc.so.6(__libc_init_first+0x8a) [0x2920a] > /usr/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0x7c) [0x292bc] > /usr/sbin/cupsd() [0xd5c1] ``` Hence, it should be okay to deny the access. I've added the line `deny capability net_admin,` and cups works and the audit message is gone. Regards Jörg -- „Gesundheit ist dasjenige Maß an Krankheit, das es mir noch erlaubt, meinen wesentlichen Beschäftigungen nachzugehen.“ (Friedrich Nietzsche)
Attachment:
signature.asc
Description: PGP signature