From: russell@coker.com.au (Russell Coker) Date: Mon, 21 Mar 2011 08:55:53 +1100 Subject: [refpolicy] [PATCH]: dontaudit sys_module wpa_supplicant In-Reply-To: <1300632793.28926.5.camel@tesla.lan> References: <0Cz62XCZ8hNS.j4bfZvpJ@mail.posta.tim.it> <201103201812.14967.russell@coker.com.au> <1300632793.28926.5.camel@tesla.lan> Message-ID: <201103210855.53978.russell@coker.com.au> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Mon, 21 Mar 2011, Guido Trentalancia wrote: > > Sounds like we want to allow the wpa_suplicant to do this. > > Not everybody likes that to happen. And surely there must be a good > reason for having a "neverallow" rule in kernel/kernel.te which blocks > everything. > > See Bug#515136 on Debian but even more importantly Bug#684415 on Fedora. That Debian bug isn't relevant. Dan asked "Why would wpa_supplicant be loading kernel modules directly?". You have answered that question in this discussion, you could include your answer in the Red Hat Bugzilla if you want. On Mon, 21 Mar 2011, Guido Trentalancia wrote: > So unless Dan Walsh changes his mind there needs to be at least one > ifdef (for DISTRO=redhat). If Dan has expressed an opinion on this matter then please cite a reference. Asking why something happens is a long way from stating an opinion that it shouldn't be permitted. > I am happy to prepare a patch which does can_load_kernmodule()/dontaudit > depending on the distribution, but I need to hear from people with > authority for each distribution. And Christopher should decide what > would be the default behaviour. You have already heard from me. Don't get too bothered about getting support from different distributions, no- one else worries much about such things. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/