dovecot & cap_net_admin capability

Michal Hlavinka mhlavink at redhat.com
Tue Jun 20 14:18:33 EEST 2017


Hi,

we've seen SELinux reports from our users that dovecot tried to use 
something that needs CAP_NET_ADMIN capability. Before enabling it, we 
would like to know where it originated from. I've checked the sources, 
but was not able to find anything that would require this capability. Do 
you know for what it is used?

CAP_NET_ADMIN
Perform various network-related operations:
* interface configuration;
* administration of IP firewall, masquerading, and accounting;
* modify routing tables;
* bind to any address for transparent proxying "IP_TRANSPARENT";
* set type-of-service (TOS) "IP_TOS"
* clear driver statistics;
* set promiscuous mode;
* enabling multicasting;
* use  setsockopt(2)  to  set  the  following  socket  options: 
SO_DEBUG,  SO_MARK,  SO_PRIORITY (for a priority outside the range 0 to 
6),SO_RCVBUFFORCE, and SO_SNDBUFFORCE

Cheers,
Michal Hlavinka


More information about the dovecot mailing list