From: aranea@aixah.de (Luis Ressel)
Date: Wed, 15 Nov 2017 08:09:50 +0100
Subject: [refpolicy] [PATCH] modutils: Dontaudit CAP_SYS_ADMIN checks for
	modprobe
Message-ID: <20171115070950.1914-1-aranea@aixah.de>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

The ttm module, a dependency of radeon/amdgpu, does some
capable(CAP_SYS_ADMIN) checks. Changes in 4.13 have caused some of these
checks to be executed during module initialization, in the context of
modprobe, which fills the audit logs with a lot of denials.

Since failing these capable() checks is not an issue (they merely
control the access to emergency memory reserves, which shouldn't be an
issue during boot), I'm dontauditing them.

One potential issue with this is that if a module that actually needs
CAP_SYS_ADMIN during initialization comes along later, the dontaudit is
going to make the debugging a bit more annoying. Is anyone concerned
about this?
---
 policy/modules/system/modutils.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index fe42b0f1d..5e66c4439 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -37,6 +37,8 @@ ifdef(`init_systemd',`
 
 allow kmod_t self:capability { dac_override net_raw sys_nice sys_tty_config };
 allow kmod_t self:process { execmem sigchld sigkill sigstop signull signal };
+# for the radeon/amdgpu modules
+dontaudit kmod_t self:capability sys_admin;
 
 allow kmod_t self:udp_socket create_socket_perms;
 allow kmod_t self:rawip_socket create_socket_perms;
-- 
2.15.0