From: guido@trentalancia.com (Guido Trentalancia) Date: Mon, 21 Mar 2011 15:07:39 +0100 Subject: [refpolicy] R: Re: [PATCH]: dontaudit sys_module wpa_supplicant Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -- original message -- Subject: Re: [refpolicy] [PATCH]: dontaudit sys_module wpa_supplicant From: "Christopher J. PeBenito" Date: 21/03/2011 14:24 On 03/20/11 12:18, Guido Trentalancia wrote: > On Sun, 2011-03-20 at 16:56 +0100, Sven Vermeulen wrote: >> On Sun, Mar 20, 2011 at 04:47:27PM +0100, Guido Trentalancia wrote: >>>> The moment you set kernel_load_module(NetworkManager_t) you're all set. The >>>> neverallow is on all domains that do not have the can_load_kernmodule >>>> attribute set, and with kernel_load_moduel() you set it for the specified >>>> domain. >>> >>> The "neverallow" rule in kernel/kernel.te prevents NetworkManager_t from >>> having the "sys_module" capability. >> >> In kernel/kernel.te: >> >> neverallow ~{ can_load_kernmodule kern_unconfined } self:capability sys_module; >> >> The kernel_load_module interface: >> >> interface(`kernel_load_module',` >> gen_require(` >> attribute can_load_kernmodule; >> ') >> >> allow $1 self:capability sys_module; >> typeattribute $1 can_load_kernmodule; >> >> # load_module() calls stop_machine() which >> # calls sched_setscheduler() >> allow $1 self:capability sys_nice; >> kernel_setsched($1) >> ') >> >> When you use kernel_load_module(NetworkManager_t), then the typeattribute >> will add "can_load_kernmodule" as an attribute to the NetworkManager_t >> domain. The neverallow works on all but those domains having >> can_load_kernmodule and/or kern_unconfined set as an attribute. > > It seems quite difficult to explain this... > > I do not want to break things for distributions that do not want > wpa_supplicant to load kernel modules and in any case I would like to > hear from Christopher. > > So unless Dan Walsh changes his mind there needs to be at least one > ifdef (for DISTRO=redhat). > > I am happy to prepare a patch which does can_load_kernmodule()/dontaudit > depending on the distribution, but I need to hear from people with > authority for each distribution. And Christopher should decide what > would be the default behaviour. > > It is perfectly fine to me (and I would probably be happier) if the > default behaviour is can_load_kernmodule() as I do not particularly like > "dontaudit" for stuff which just logs once (but Christopher has a > different opinion on this, so once again nothing can be changed before > Monday). > I would rather not allow > this. We don't want > network-facing services > loading kernel modules. At least wpa_supplicant is not network-facing (would need to check for NetworkManager). It should not be dealing with sockets and connections, so it should be *isolated* from the network and the outside world (at least at L3 and above). In any case it could be "dontaudit"ed. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com