From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Sun, 20 Mar 2011 16:56:14 +0100
Subject: [refpolicy] [PATCH]: dontaudit sys_module wpa_supplicant
In-Reply-To: <1300636047.28926.16.camel@tesla.lan>
References: <0Cz62XCZ8hNS.j4bfZvpJ@mail.posta.tim.it>
	<201103201812.14967.russell@coker.com.au>
	<1300632793.28926.5.camel@tesla.lan>
	<20110320150504.GA16383@siphos.be>
	<1300636047.28926.16.camel@tesla.lan>
Message-ID: <20110320155613.GA18417@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Sun, Mar 20, 2011 at 04:47:27PM +0100, Guido Trentalancia wrote:
> > The moment you set kernel_load_module(NetworkManager_t) you're all set. The
> > neverallow is on all domains that do not have the can_load_kernmodule
> > attribute set, and with kernel_load_moduel() you set it for the specified
> > domain.
> 
> The "neverallow" rule in kernel/kernel.te prevents NetworkManager_t from
> having the "sys_module" capability.

In kernel/kernel.te:

  neverallow ~{ can_load_kernmodule kern_unconfined } self:capability sys_module;

The kernel_load_module interface:

  interface(`kernel_load_module',`
          gen_require(`
                  attribute can_load_kernmodule;
          ')
  
          allow $1 self:capability sys_module;
          typeattribute $1 can_load_kernmodule;
  
          # load_module() calls stop_machine() which
          # calls sched_setscheduler()
          allow $1 self:capability sys_nice;
          kernel_setsched($1)
  ')
  
When you use kernel_load_module(NetworkManager_t), then the typeattribute
will add "can_load_kernmodule" as an attribute to the NetworkManager_t
domain. The neverallow works on all but those domains having
can_load_kernmodule and/or kern_unconfined set as an attribute.

Wkr,
	Sven Vermeulen