On 18/12/07 13:57, Stephen Smalley wrote: > On Tue, 2007-12-18 at 08:34 -0500, Stephen Smalley wrote: >> On Mon, 2007-12-17 at 22:47 -0500, Chris PeBenito wrote: >>> Based on the other kernel messages, I'm guessing that the insmod >>> succeeded despite the tty and capability denials? If so I suppose we >>> can dontaudit it. >> I don't think we want to dontaudit the capability denials. > > And just to note, denials from insmod can be triggered either by > userspace activity of insmod or by the module initialization code of the > loaded module. I find that on an SMP machine I need both the sys_nice capabability and setsched on kernel_t to load modules. This is because stop_machine() is called by sys_init_module(), so it makes sense to me to add these to kernel_load_module(). Index: policy/modules/kernel/kernel.if =================================================================== --- policy/modules/kernel/kernel.if (revision 2560) +++ policy/modules/kernel/kernel.if (working copy) @@ -330,6 +330,9 @@ allow $1 self:capability sys_module; typeattribute $1 can_load_kernmodule; + + allow $1 self:capability sys_nice; + kernel_setsched($1) ') ######################################## -- Martin Orr
Attachment:
signature.asc
Description: OpenPGP digital signature
