From: aranea@aixah.de (Luis Ressel) Date: Wed, 15 Nov 2017 08:09:50 +0100 Subject: [refpolicy] [PATCH] modutils: Dontaudit CAP_SYS_ADMIN checks for modprobe Message-ID: <20171115070950.1914-1-aranea@aixah.de> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com The ttm module, a dependency of radeon/amdgpu, does some capable(CAP_SYS_ADMIN) checks. Changes in 4.13 have caused some of these checks to be executed during module initialization, in the context of modprobe, which fills the audit logs with a lot of denials. Since failing these capable() checks is not an issue (they merely control the access to emergency memory reserves, which shouldn't be an issue during boot), I'm dontauditing them. One potential issue with this is that if a module that actually needs CAP_SYS_ADMIN during initialization comes along later, the dontaudit is going to make the debugging a bit more annoying. Is anyone concerned about this? --- policy/modules/system/modutils.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te index fe42b0f1d..5e66c4439 100644 --- a/policy/modules/system/modutils.te +++ b/policy/modules/system/modutils.te @@ -37,6 +37,8 @@ ifdef(`init_systemd',` allow kmod_t self:capability { dac_override net_raw sys_nice sys_tty_config }; allow kmod_t self:process { execmem sigchld sigkill sigstop signull signal }; +# for the radeon/amdgpu modules +dontaudit kmod_t self:capability sys_admin; allow kmod_t self:udp_socket create_socket_perms; allow kmod_t self:rawip_socket create_socket_perms; -- 2.15.0