From: pebenito@ieee.org (Chris PeBenito) Date: Thu, 16 Nov 2017 20:10:55 -0500 Subject: [refpolicy] [PATCH] modutils: Dontaudit CAP_SYS_ADMIN checks for modprobe In-Reply-To: <20171115070950.1914-1-aranea@aixah.de> References: <20171115070950.1914-1-aranea@aixah.de> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 11/15/2017 02:09 AM, Luis Ressel via refpolicy wrote: > The ttm module, a dependency of radeon/amdgpu, does some > capable(CAP_SYS_ADMIN) checks. Changes in 4.13 have caused some of these > checks to be executed during module initialization, in the context of > modprobe, which fills the audit logs with a lot of denials. > > Since failing these capable() checks is not an issue (they merely > control the access to emergency memory reserves, which shouldn't be an > issue during boot), I'm dontauditing them. > > One potential issue with this is that if a module that actually needs > CAP_SYS_ADMIN during initialization comes along later, the dontaudit is > going to make the debugging a bit more annoying. Is anyone concerned > about this? I'm not concerned about debugging issues. Turning off dontaudits is well documented. > --- > policy/modules/system/modutils.te | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te > index fe42b0f1d..5e66c4439 100644 > --- a/policy/modules/system/modutils.te > +++ b/policy/modules/system/modutils.te > @@ -37,6 +37,8 @@ ifdef(`init_systemd',` > > allow kmod_t self:capability { dac_override net_raw sys_nice sys_tty_config }; > allow kmod_t self:process { execmem sigchld sigkill sigstop signull signal }; > +# for the radeon/amdgpu modules > +dontaudit kmod_t self:capability sys_admin; > > allow kmod_t self:udp_socket create_socket_perms; > allow kmod_t self:rawip_socket create_socket_perms; > -- Chris PeBenito