wpa_supplicant (NetworkManager_t) tries to load kernel modules. I think
this is forbidden in the first place by a neverallow rule in
kernel/kernel.te. So the following patch simply "dontaudit" sys_module
requests from wpa_supplicant (and NetworkManager).
The inability of loading kernel modules might prevent wpa_supplicant
from being fully functional (for example, it might need to use
cryptographic algorithms provided by kernel modules for certain
authentication and ciphering protocols). In any case, a warning/error
message should still get printed out in the relative log file (so that
the user can take corrective manual action).
--- refpolicy-git-17032011/policy/modules/services/networkmanager.te 2011-01-08 19:07:21.269745618 +0100
+++ refpolicy-git-17032011-wpasupplicant-sysmodule/policy/modules/services/networkmanager.te 2011-03-19 19:56:52.232376452 +0100
@@ -36,7 +36,7 @@ init_system_domain(wpa_cli_t, wpa_cli_ex
# networkmanager will ptrace itself if gdb is installed
# and it receives a unexpected signal (rh bug #204161)
allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_nice sys_ptrace dac_override net_admin net_raw net_bind_service ipc_lock };
-dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace };
+dontaudit NetworkManager_t self:capability { sys_module sys_tty_config sys_ptrace };
allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched setsched signal_perms };
allow NetworkManager_t self:fifo_file rw_fifo_file_perms;
allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms };
On Sun, 20 Mar 2011, Guido Trentalancia <[email protected]> wrote:
> wpa_supplicant (NetworkManager_t) tries to load kernel modules. I think
> this is forbidden in the first place by a neverallow rule in
> kernel/kernel.te. So the following patch simply "dontaudit" sys_module
> requests from wpa_supplicant (and NetworkManager).
Which kernel modules?
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/