From: guido@trentalancia.com (Guido Trentalancia)
Date: Sat, 19 Mar 2011 21:13:59 +0100
Subject: [refpolicy] [PATCH]: dontaudit sys_module wpa_supplicant
Message-ID: <1300565639.3101.25.camel@tesla.lan>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

wpa_supplicant (NetworkManager_t) tries to load kernel modules. I think
this is forbidden in the first place by a neverallow rule in
kernel/kernel.te. So the following patch simply "dontaudit" sys_module
requests from wpa_supplicant (and NetworkManager).

The inability of loading kernel modules might prevent wpa_supplicant
from being fully functional (for example, it might need to use
cryptographic algorithms provided by kernel modules for certain
authentication and ciphering protocols). In any case, a warning/error
message should still get printed out in the relative log file (so that
the user can take corrective manual action).

--- refpolicy-git-17032011/policy/modules/services/networkmanager.te	2011-01-08 19:07:21.269745618 +0100
+++ refpolicy-git-17032011-wpasupplicant-sysmodule/policy/modules/services/networkmanager.te	2011-03-19 19:56:52.232376452 +0100
@@ -36,7 +36,7 @@ init_system_domain(wpa_cli_t, wpa_cli_ex
 # networkmanager will ptrace itself if gdb is installed
 # and it receives a unexpected signal (rh bug #204161)
 allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_nice sys_ptrace dac_override net_admin net_raw net_bind_service ipc_lock };
-dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace };
+dontaudit NetworkManager_t self:capability { sys_module sys_tty_config sys_ptrace };
 allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched setsched signal_perms };
 allow NetworkManager_t self:fifo_file rw_fifo_file_perms;
 allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms };