From: guido@trentalancia.com (Guido Trentalancia) Date: Sat, 19 Mar 2011 21:13:59 +0100 Subject: [refpolicy] [PATCH]: dontaudit sys_module wpa_supplicant Message-ID: <1300565639.3101.25.camel@tesla.lan> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com wpa_supplicant (NetworkManager_t) tries to load kernel modules. I think this is forbidden in the first place by a neverallow rule in kernel/kernel.te. So the following patch simply "dontaudit" sys_module requests from wpa_supplicant (and NetworkManager). The inability of loading kernel modules might prevent wpa_supplicant from being fully functional (for example, it might need to use cryptographic algorithms provided by kernel modules for certain authentication and ciphering protocols). In any case, a warning/error message should still get printed out in the relative log file (so that the user can take corrective manual action). --- refpolicy-git-17032011/policy/modules/services/networkmanager.te 2011-01-08 19:07:21.269745618 +0100 +++ refpolicy-git-17032011-wpasupplicant-sysmodule/policy/modules/services/networkmanager.te 2011-03-19 19:56:52.232376452 +0100 @@ -36,7 +36,7 @@ init_system_domain(wpa_cli_t, wpa_cli_ex # networkmanager will ptrace itself if gdb is installed # and it receives a unexpected signal (rh bug #204161) allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_nice sys_ptrace dac_override net_admin net_raw net_bind_service ipc_lock }; -dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace }; +dontaudit NetworkManager_t self:capability { sys_module sys_tty_config sys_ptrace }; allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched setsched signal_perms }; allow NetworkManager_t self:fifo_file rw_fifo_file_perms; allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms };