From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Sun, 20 Mar 2011 16:56:14 +0100 Subject: [refpolicy] [PATCH]: dontaudit sys_module wpa_supplicant In-Reply-To: <1300636047.28926.16.camel@tesla.lan> References: <0Cz62XCZ8hNS.j4bfZvpJ@mail.posta.tim.it> <201103201812.14967.russell@coker.com.au> <1300632793.28926.5.camel@tesla.lan> <20110320150504.GA16383@siphos.be> <1300636047.28926.16.camel@tesla.lan> Message-ID: <20110320155613.GA18417@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Sun, Mar 20, 2011 at 04:47:27PM +0100, Guido Trentalancia wrote: > > The moment you set kernel_load_module(NetworkManager_t) you're all set. The > > neverallow is on all domains that do not have the can_load_kernmodule > > attribute set, and with kernel_load_moduel() you set it for the specified > > domain. > > The "neverallow" rule in kernel/kernel.te prevents NetworkManager_t from > having the "sys_module" capability. In kernel/kernel.te: neverallow ~{ can_load_kernmodule kern_unconfined } self:capability sys_module; The kernel_load_module interface: interface(`kernel_load_module',` gen_require(` attribute can_load_kernmodule; ') allow $1 self:capability sys_module; typeattribute $1 can_load_kernmodule; # load_module() calls stop_machine() which # calls sched_setscheduler() allow $1 self:capability sys_nice; kernel_setsched($1) ') When you use kernel_load_module(NetworkManager_t), then the typeattribute will add "can_load_kernmodule" as an attribute to the NetworkManager_t domain. The neverallow works on all but those domains having can_load_kernmodule and/or kern_unconfined set as an attribute. Wkr, Sven Vermeulen