From: justinmattock@gmail.com (Justin Mattock) Date: Sat, 12 Sep 2009 15:09:33 -0700 Subject: [refpolicy] [git bisected] 25354c4fee169710fd9da15f3bb2abaa24dcf933 is first bad commit Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com attached is dmesg of the latest Head giving me an avc denial that is giving me an error with checkpolicy: /usr/bin/checkpolicy -c 22 -U deny policy.conf -o policy.22 /usr/bin/checkpolicy: loading policy configuration from policy.conf policy/modules/services/xserver.te":1138:ERROR 'permission module_request is not defined for class system' at token ';' on line 2904222: allow NetworkManager_t kernel_t:system module_request; #============= NetworkManager_t ============== policy/modules/services/xserver.te":1141:ERROR 'permission module_request is not defined for class system' at token ';' on line 2904225: #============= insmod_t ============== allow insmod_t kernel_t:system module_request; policy/modules/services/xserver.te":1144:ERROR 'permission module_request is not defined for class system' at token ';' on line 2904228: allow iptables_t kernel_t:system module_request; #============= iptables_t ============== checkpolicy: error(s) encountered while parsing configuration make: *** [policy.22] Error 1 (please ignore the xserver.te, as a quick way using a monolithic policy, I just randomly throw the allow rules anywhere, before individually locating the right location). here is what git bisect is showing me: 25354c4fee169710fd9da15f3bb2abaa24dcf933 is first bad commit commit 25354c4fee169710fd9da15f3bb2abaa24dcf933 Author: Eric Paris Date: Thu Aug 13 09:45:03 2009 -0400 SELinux: add selinux_kernel_module_request This patch adds a new selinux hook so SELinux can arbitrate if a given process should be allowed to trigger a request for the kernel to try to load a module. This is a different operation than a process trying to load a module itself, which is already protected by CAP_SYS_MODULE. Signed-off-by: Eric Paris Acked-by: Serge Hallyn Signed-off-by: James Morris :040000 040000 0585d8667e7c54b9b3e07f419dc8eff62b32fe96 f63f56f137352a90a909d11d37e8f5462f4306ff M security and FWIW git bisect log: git bisect start # bad: [332a3392188e0ad966543c87b8da2b9d246f301d] Merge git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 git bisect bad 332a3392188e0ad966543c87b8da2b9d246f301d # good: [ed680c4ad478d0fee9740f7d029087f181346564] Linux 2.6.31-rc5 git bisect good ed680c4ad478d0fee9740f7d029087f181346564 # good: [f415c413f458837bd0c27086b79aca889f9435e4] Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6 git bisect good f415c413f458837bd0c27086b79aca889f9435e4 # good: [6a0f4021469727675b83d85ac91d106bfae0e2c3] Merge branch 'topic/dummy' into for-linus git bisect good 6a0f4021469727675b83d85ac91d106bfae0e2c3 # bad: [a12e4d304ce701844c639541d90df86e165d03f9] Merge branch 'writeback' of git://git.kernel.dk/linux-2.6-block git bisect bad a12e4d304ce701844c639541d90df86e165d03f9 # bad: [2490138cb785d299d898b579fa2874a59a3d321a] Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/roland/infiniband git bisect bad 2490138cb785d299d898b579fa2874a59a3d321a # bad: [9f0ab4a3f0fdb1ff404d150618ace2fa069bb2e1] binfmt_elf: fix PT_INTERP bss handling git bisect bad 9f0ab4a3f0fdb1ff404d150618ace2fa069bb2e1 # good: [896a6de40ef3814525632609799af909338f50c3] mm_for_maps: take ->cred_guard_mutex to fix the race with exec git bisect good 896a6de40ef3814525632609799af909338f50c3 # bad: [0c2c9a3fc77e8b60d43d9bd2ca46eb4dddb0ff76] KEYS: Allow keyctl_revoke() on keys that have SETATTR but not WRITE perm [try #6] git bisect bad 0c2c9a3fc77e8b60d43d9bd2ca46eb4dddb0ff76 # bad: [ece13879e74313e62109e0755dd3d4f172df89e2] Merge branch 'master' into next git bisect bad ece13879e74313e62109e0755dd3d4f172df89e2 # bad: [25354c4fee169710fd9da15f3bb2abaa24dcf933] SELinux: add selinux_kernel_module_request git bisect bad 25354c4fee169710fd9da15f3bb2abaa24dcf933 # good: [a8f80e8ff94ecba629542d9b4b5f5a8ee3eb565c] Networking: use CAP_NET_ADMIN when deciding to call request_module git bisect good a8f80e8ff94ecba629542d9b4b5f5a8ee3eb565c # good: [9188499cdb117d86a1ea6b04374095b098d56936] security: introducing security_request_module git bisect good 9188499cdb117d86a1ea6b04374095b098d56936 The system is an LFS, there is no proprietary modules at all with this kernel. I have another machine running rc-8 and it seems to not be producing this avc.(keep in mind it does have two proprietary modules: nvidia wl). -- Justin P. Mattock -------------- next part -------------- A non-text attachment was scrubbed... Name: dmesg Type: application/octet-stream Size: 52104 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20090912/4a835a73/attachment-0001.obj