The ttm module, a dependency of radeon/amdgpu, does some
capable(CAP_SYS_ADMIN) checks. Changes in 4.13 have caused some of these
checks to be executed during module initialization, in the context of
modprobe, which fills the audit logs with a lot of denials.
Since failing these capable() checks is not an issue (they merely
control the access to emergency memory reserves, which shouldn't be an
issue during boot), I'm dontauditing them.
One potential issue with this is that if a module that actually needs
CAP_SYS_ADMIN during initialization comes along later, the dontaudit is
going to make the debugging a bit more annoying. Is anyone concerned
about this?
---
policy/modules/system/modutils.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index fe42b0f1d..5e66c4439 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -37,6 +37,8 @@ ifdef(`init_systemd',`
allow kmod_t self:capability { dac_override net_raw sys_nice sys_tty_config };
allow kmod_t self:process { execmem sigchld sigkill sigstop signull signal };
+# for the radeon/amdgpu modules
+dontaudit kmod_t self:capability sys_admin;
allow kmod_t self:udp_socket create_socket_perms;
allow kmod_t self:rawip_socket create_socket_perms;
--
2.15.0
On 11/15/2017 02:09 AM, Luis Ressel via refpolicy wrote:
> The ttm module, a dependency of radeon/amdgpu, does some
> capable(CAP_SYS_ADMIN) checks. Changes in 4.13 have caused some of these
> checks to be executed during module initialization, in the context of
> modprobe, which fills the audit logs with a lot of denials.
>
> Since failing these capable() checks is not an issue (they merely
> control the access to emergency memory reserves, which shouldn't be an
> issue during boot), I'm dontauditing them.
>
> One potential issue with this is that if a module that actually needs
> CAP_SYS_ADMIN during initialization comes along later, the dontaudit is
> going to make the debugging a bit more annoying. Is anyone concerned
> about this?
I'm not concerned about debugging issues. Turning off dontaudits is
well documented.
> ---
> policy/modules/system/modutils.te | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
> index fe42b0f1d..5e66c4439 100644
> --- a/policy/modules/system/modutils.te
> +++ b/policy/modules/system/modutils.te
> @@ -37,6 +37,8 @@ ifdef(`init_systemd',`
>
> allow kmod_t self:capability { dac_override net_raw sys_nice sys_tty_config };
> allow kmod_t self:process { execmem sigchld sigkill sigstop signull signal };
> +# for the radeon/amdgpu modules
> +dontaudit kmod_t self:capability sys_admin;
>
> allow kmod_t self:udp_socket create_socket_perms;
> allow kmod_t self:rawip_socket create_socket_perms;
>
--
Chris PeBenito
On 11/15/2017 02:09 AM, Luis Ressel via refpolicy wrote:
> The ttm module, a dependency of radeon/amdgpu, does some
> capable(CAP_SYS_ADMIN) checks. Changes in 4.13 have caused some of these
> checks to be executed during module initialization, in the context of
> modprobe, which fills the audit logs with a lot of denials.
>
> Since failing these capable() checks is not an issue (they merely
> control the access to emergency memory reserves, which shouldn't be an
> issue during boot), I'm dontauditing them.
>
> One potential issue with this is that if a module that actually needs
> CAP_SYS_ADMIN during initialization comes along later, the dontaudit is
> going to make the debugging a bit more annoying. Is anyone concerned
> about this?
> ---
> policy/modules/system/modutils.te | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
> index fe42b0f1d..5e66c4439 100644
> --- a/policy/modules/system/modutils.te
> +++ b/policy/modules/system/modutils.te
> @@ -37,6 +37,8 @@ ifdef(`init_systemd',`
>
> allow kmod_t self:capability { dac_override net_raw sys_nice sys_tty_config };
> allow kmod_t self:process { execmem sigchld sigkill sigstop signull signal };
> +# for the radeon/amdgpu modules
> +dontaudit kmod_t self:capability sys_admin;
>
> allow kmod_t self:udp_socket create_socket_perms;
> allow kmod_t self:rawip_socket create_socket_perms;
Merged.
--
Chris PeBenito