From: guido@trentalancia.com (Guido Trentalancia) Date: Sun, 20 Mar 2011 16:47:27 +0100 Subject: [refpolicy] [PATCH]: dontaudit sys_module wpa_supplicant In-Reply-To: <20110320150504.GA16383@siphos.be> References: <0Cz62XCZ8hNS.j4bfZvpJ@mail.posta.tim.it> <201103201812.14967.russell@coker.com.au> <1300632793.28926.5.camel@tesla.lan> <20110320150504.GA16383@siphos.be> Message-ID: <1300636047.28926.16.camel@tesla.lan> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Sun, 2011-03-20 at 16:05 +0100, Sven Vermeulen wrote: > On Sun, Mar 20, 2011 at 03:53:13PM +0100, Guido Trentalancia wrote: > > Not everybody likes that to happen. And surely there must be a good > > reason for having a "neverallow" rule in kernel/kernel.te which blocks > > everything. > > The moment you set kernel_load_module(NetworkManager_t) you're all set. The > neverallow is on all domains that do not have the can_load_kernmodule > attribute set, and with kernel_load_moduel() you set it for the specified > domain. The "neverallow" rule in kernel/kernel.te prevents NetworkManager_t from having the "sys_module" capability. > There's a difference between "not everybody wants this" and "this is what is > needed to have the application work as it is intended to". In refpolicy, I > think we should aim at the latter. The former is more for security > administrators that want to create their own policy. If you read the Fedora bug that I mentioned in a previous message, then you'll discover that Dan Walsh was not very keen on doing that (on Fedora). And we are not talking about system administrators. > If the mass that doesn't want this is large enough, you might want to > introduce it with a tunable_policy... My patch does "dontaudit". Regards, Guido