From: guido@trentalancia.com (Guido Trentalancia)
Date: Sun, 20 Mar 2011 16:47:27 +0100
Subject: [refpolicy] [PATCH]: dontaudit sys_module wpa_supplicant
In-Reply-To: <20110320150504.GA16383@siphos.be>
References: <0Cz62XCZ8hNS.j4bfZvpJ@mail.posta.tim.it>
	<201103201812.14967.russell@coker.com.au>
	<1300632793.28926.5.camel@tesla.lan> <20110320150504.GA16383@siphos.be>
Message-ID: <1300636047.28926.16.camel@tesla.lan>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Sun, 2011-03-20 at 16:05 +0100, Sven Vermeulen wrote:
> On Sun, Mar 20, 2011 at 03:53:13PM +0100, Guido Trentalancia wrote:
> > Not everybody likes that to happen. And surely there must be a good
> > reason for having a "neverallow" rule in kernel/kernel.te which blocks
> > everything.
> 
> The moment you set kernel_load_module(NetworkManager_t) you're all set. The
> neverallow is on all domains that do not have the can_load_kernmodule
> attribute set, and with kernel_load_moduel() you set it for the specified
> domain.

The "neverallow" rule in kernel/kernel.te prevents NetworkManager_t from
having the "sys_module" capability.

> There's a difference between "not everybody wants this" and "this is what is
> needed to have the application work as it is intended to". In refpolicy, I
> think we should aim at the latter. The former is more for security
> administrators that want to create their own policy.

If you read the Fedora bug that I mentioned in a previous message, then
you'll discover that Dan Walsh was not very keen on doing that (on
Fedora). And we are not talking about system administrators.

> If the mass that doesn't want this is large enough, you might want to
> introduce it with a tunable_policy...

My patch does "dontaudit".

Regards,

Guido