Re: Xorg modprobe denials

From: Martin Orr <martin_at_nospam>
Date: Wed Dec 19 2007 - 21:11:09 GMT
To: Stephen Smalley <sds@tycho.nsa.gov>

On 18/12/07 13:57, Stephen Smalley wrote:
> On Tue, 2007-12-18 at 08:34 -0500, Stephen Smalley wrote:
>> On Mon, 2007-12-17 at 22:47 -0500, Chris PeBenito wrote: >>> Based on the other kernel messages, I'm guessing that the insmod >>> succeeded despite the tty and capability denials? If so I suppose we >>> can dontaudit it. >> I don't think we want to dontaudit the capability denials.
>
> And just to note, denials from insmod can be triggered either by
> userspace activity of insmod or by the module initialization code of the
> loaded module.

I find that on an SMP machine I need both the sys_nice capabability and setsched on kernel_t to load modules.

This is because stop_machine() is called by sys_init_module(), so it makes sense to me to add these to kernel_load_module().

Index: policy/modules/kernel/kernel.if

policy/modules/kernel/kernel.if (revision 2560) +++ policy/modules/kernel/kernel.if (working copy) @@ -330,6 +330,9 @@

allow $1 self:capability sys_module; typeattribute $1 can_load_kernmodule; + + allow $1 self:capability sys_nice; + kernel_setsched($1)
') ######################################## -- Martin Orr

-- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.

This message: [ Message body ]
Next message: Eamon Walsh: "RFC: Per-object manager controls in /selinux/config"
Previous message: Stephen Smalley: "Re: MLS newrole avcs and polyinstantiation avcs"
In reply to: Stephen Smalley: "Re: Xorg modprobe denials"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]