Hi,
while playing with current Debian Sid, Linux 2.6.25 I noticed, denials
on modprobe:
May 22 07:26:11 sid kernel: [ 9.195474] type=1400 audit(1211433957.144:3): avc: denied { sys_nice } for pid=801 comm="modprobe" capability=23 scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=capability
May 22 07:26:11 sid kernel: [ 9.198362] type=1400 audit(1211433957.144:3): avc: denied { setsched } for pid=801 comm="modprobe" scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=process
After a longer investigation with git-bisect I found, that above
denials appeared after kernel commit:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=85653af7d488702165eba72c6c1dd0250fae4e70
A function stop_machine() (from kernel/stop_machine.c) was changed in
this commit in such a way, that system calls init_module()
& delete_module() needs sys_nice & setsched. I did'n try to understand
code too much (consequences of this commit).
I found in the history of SE Linux mailing list Martin Orr sent a patch
already. (The correspondence attached.)
The Martins patch is available at URL:
http://www.martinorr.name/selinux/patches/151_module_setsched
Can be Martins patch merged?
Thanks
--
Zito
--- Begin Message ---
>From owner-selinux@xxxxxxxxxxxxxxxxxxxxx Thu Dec 20 07:16:25 2007
Return-path: <owner-selinux@xxxxxxxxxxxxxxxxxxxxx>
Envelope-to: zito@localhost
Delivery-date: Thu, 20 Dec 2007 07:16:25 +0100
Received: from localhost.localdomain
([127.0.0.1] helo=bobek.localdomain ident=zito)
by bobek.localdomain with esmtp (Exim 4.63)
(envelope-from <owner-selinux@xxxxxxxxxxxxxxxxxxxxx>)
id 1J5EeV-00021o-Mf
for zito@localhost; Thu, 20 Dec 2007 07:13:04 +0100
Received: from sprg11.i.cz [192.168.30.71]
by bobek.localdomain with IMAP (fetchmail-6.3.6)
for <zito@localhost> (single-drop); Thu, 20 Dec 2007 07:13:03 +0100 (CET)
Received: from sprg11.ad.i.cz ([192.168.30.71]) by sprg13.ad.i.cz with Microsoft SMTPSVC(6.0.3790.1830);
Wed, 19 Dec 2007 22:53:11 +0100
Received: from ns1.i.cz ([192.168.24.101]) by sprg11.ad.i.cz with Microsoft SMTPSVC(6.0.3790.1830);
Wed, 19 Dec 2007 22:53:10 +0100
Received: from localhost (localhost [127.0.0.1])
by ns1.i.cz (Postfix) with ESMTP id 63BF4FE85
for <vaclav.ovsik@xxxx>; Wed, 19 Dec 2007 22:51:51 +0100 (CET)
X-Spam-Checker-Version: SpamAssassin 3.1.7-deb (2006-10-05) on ns1.i.cz
X-Virus-Scanned: Debian amavisd-new at ns1.i.cz
X-Spam-Score: -2.464
X-Spam-Level:
X-Spam-Status: No, score=-2.464 required=3.5 tests=[BAYES_00=-2.599,
FORGED_RCVD_HELO=0.135]
Received: from ns1.i.cz ([127.0.0.1])
by localhost (ns1.i.cz [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id k0VsVXVStPTU for <vaclav.ovsik@xxxx>;
Wed, 19 Dec 2007 22:51:51 +0100 (CET)
Received: from vidle.i.cz (brana1.i.cz [192.168.1.8])
by ns1.i.cz (Postfix) with ESMTP id 2C71FFE83
for <vaclav.ovsik@xxxx>; Wed, 19 Dec 2007 22:51:51 +0100 (CET)
Received: from zombie.ncsc.mil (zombie.ncsc.mil [144.51.88.131])
by vidle.i.cz (Postfix) with ESMTP id D09931CDA5
for <vaclav.ovsik@xxxx>; Wed, 19 Dec 2007 22:51:50 +0100 (CET)
Received: from tarius.tycho.ncsc.mil (jazzdrum.ncsc.mil [144.51.5.7])
by zombie.ncsc.mil (8.12.10/8.12.10) with ESMTP id lBJLcGms025234;
Wed, 19 Dec 2007 21:40:46 GMT
Received: from tarius.tycho.ncsc.mil (tarius [127.0.0.1])
by tarius.tycho.ncsc.mil (8.13.1/8.13.1) with ESMTP id lBJLZQfQ011700;
Wed, 19 Dec 2007 16:35:26 -0500
Received: (from mail@localhost)
by tarius.tycho.ncsc.mil (8.13.1/8.13.1/Submit) id lBJLZQAx011699;
Wed, 19 Dec 2007 16:35:26 -0500
X-Authentication-Warning: tarius.tycho.ncsc.mil: mail set sender to owner-selinux@xxxxxxxxxxxxx using -f
Received: from zombie.ncsc.mil (zombie.ncsc.mil [144.51.88.131])
by tarius.tycho.ncsc.mil (8.13.1/8.13.1) with ESMTP id lBJLZIfx011660;
Wed, 19 Dec 2007 16:35:18 -0500
Received: from queueout02-winn.ispmail.ntl.com (jazzdrum.ncsc.mil [144.51.5.7])
by zombie.ncsc.mil (8.12.10/8.12.10) with ESMTP id lBJLZCme024055;
Wed, 19 Dec 2007 21:35:12 GMT
Received: from aamtaout01-winn.ispmail.ntl.com ([81.103.221.35])
by mtaout03-winn.ispmail.ntl.com with ESMTP
id <20071219211214.UINF20647.mtaout03-winn.ispmail.ntl.com@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>;
Wed, 19 Dec 2007 21:12:14 +0000
Received: from [192.168.1.101] (really [82.18.189.14])
by aamtaout01-winn.ispmail.ntl.com with ESMTP
id <20071219211212.IOEE219.aamtaout01-winn.ispmail.ntl.com@[192.168.1.101]>;
Wed, 19 Dec 2007 21:12:12 +0000
Received: from [127.0.0.1] (localhost [::ffff:127.0.0.1])
by caligula.martinorr.name with esmtp; Wed, 19 Dec 2007 21:11:17 +0000
id 0000000000122539.00000000476988F5.00002528
Message-ID: <476988ED.4070003@xxxxxxxxxxxxxx>
Date: Wed, 19 Dec 2007 21:11:09 +0000
From: Martin Orr <martin@xxxxxxxxxxxxxx>
User-Agent: Mozilla-Thunderbird 2.0.0.6 (X11/20071008)
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=_caligula-9512-1198098677-0001-2"
To: Stephen Smalley <sds@xxxxxxxxxxxxx>
CC: Chris PeBenito <pebenito@xxxxxxxxxx>, Eamon Walsh <ewalsh@xxxxxxxxxxxxx>,
SELinux List <selinux@xxxxxxxxxxxxx>
Subject: Re: Xorg modprobe denials
References: <47673B12.6040205@xxxxxxxxxxxxx> <1197949627.4790.4.camel@xxxxxxxxxxxxxxxxxxxx> <1197984841.7967.5.camel@xxxxxxxxxxxxxxxxxxxxxxxxxxxx> <1197986223.7967.17.camel@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
In-Reply-To: <1197986223.7967.17.camel@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
X-Enigmail-Version: 0.95.0
Sender: owner-selinux@xxxxxxxxxxxxx
Precedence: bulk
X-Mailing-List: selinux-tycho.nsa.gov
X-OriginalArrivalTime: 19 Dec 2007 21:53:10.0753 (UTC) FILETIME=[8C0ACD10:01C84289]
Status: RO
Content-Length: 2378
Lines: 70
This is a MIME-formatted message. If you see this text it means that your
E-mail software does not support MIME-formatted messages.
--=_caligula-9512-1198098677-0001-2
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
On 18/12/07 13:57, Stephen Smalley wrote:
> On Tue, 2007-12-18 at 08:34 -0500, Stephen Smalley wrote:
>> On Mon, 2007-12-17 at 22:47 -0500, Chris PeBenito wrote:
>>> Based on the other kernel messages, I'm guessing that the insmod
>>> succeeded despite the tty and capability denials? If so I suppose we=
>>> can dontaudit it.
>> I don't think we want to dontaudit the capability denials.
>=20
> And just to note, denials from insmod can be triggered either by
> userspace activity of insmod or by the module initialization code of th=
e
> loaded module.
I find that on an SMP machine I need both the sys_nice capabability and
setsched on kernel_t to load modules.
This is because stop_machine() is called by sys_init_module(), so it make=
s
sense to me to add these to kernel_load_module().
Index: policy/modules/kernel/kernel.if
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
--- policy/modules/kernel/kernel.if (revision 2560)
+++ policy/modules/kernel/kernel.if (working copy)
@@ -330,6 +330,9 @@
allow $1 self:capability sys_module;
typeattribute $1 can_load_kernmodule;
+
+ allow $1 self:capability sys_nice;
+ kernel_setsched($1)
')
########################################
--=20
Martin Orr
--=_caligula-9512-1198098677-0001-2
Content-Type: application/pgp-signature; name="signature.asc"
Content-Transfer-Encoding: 7bit
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFHaYjxZ6a/BjxtAMARAtsPAJ97SE73yay9/XQtLnY0OAch7tBkEgCgqVs6
3wmpvs0+Ey2gUQdiu6qOawQ=
=YHCK
-----END PGP SIGNATURE-----
--=_caligula-9512-1198098677-0001-2--
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
--- End Message ---
--- Begin Message ---
>From owner-selinux@xxxxxxxxxxxxxxxxxxxxx Fri Jan 04 07:08:04 2008
Return-path: <owner-selinux@xxxxxxxxxxxxxxxxxxxxx>
Envelope-to: zito@localhost
Delivery-date: Fri, 04 Jan 2008 07:08:04 +0100
Received: from localhost.localdomain
([127.0.0.1] helo=bobek.localdomain ident=zito)
by bobek.localdomain with esmtp (Exim 4.63)
(envelope-from <owner-selinux@xxxxxxxxxxxxxxxxxxxxx>)
id 1JAfiu-000266-Gi
for zito@localhost; Fri, 04 Jan 2008 07:08:04 +0100
Received: from sprg11.i.cz [192.168.30.71]
by bobek.localdomain with IMAP (fetchmail-6.3.6)
for <zito@localhost> (single-drop); Fri, 04 Jan 2008 07:08:04 +0100 (CET)
Received: from sprg11.ad.i.cz ([192.168.30.71]) by sprg13.ad.i.cz with Microsoft SMTPSVC(6.0.3790.1830);
Thu, 3 Jan 2008 16:43:49 +0100
Received: from ns1.i.cz ([192.168.24.101]) by sprg11.ad.i.cz with Microsoft SMTPSVC(6.0.3790.1830);
Thu, 3 Jan 2008 16:43:46 +0100
Received: from localhost (localhost [127.0.0.1])
by ns1.i.cz (Postfix) with ESMTP id B66ABFE83
for <vaclav.ovsik@xxxx>; Thu, 3 Jan 2008 16:42:22 +0100 (CET)
X-Spam-Checker-Version: SpamAssassin 3.1.7-deb (2006-10-05) on ns1.i.cz
X-Virus-Scanned: Debian amavisd-new at ns1.i.cz
X-Spam-Score: -2.445
X-Spam-Level:
X-Spam-Status: No, score=-2.445 required=3.5 tests=[AWL=0.018,
BAYES_00=-2.599, FORGED_RCVD_HELO=0.135, UNPARSEABLE_RELAY=0.001]
Received: from ns1.i.cz ([127.0.0.1])
by localhost (ns1.i.cz [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id hFU4Nf2uT4zx for <vaclav.ovsik@xxxx>;
Thu, 3 Jan 2008 16:42:22 +0100 (CET)
Received: from vidle.i.cz (brana1.i.cz [192.168.1.8])
by ns1.i.cz (Postfix) with ESMTP id 7EC61FE82
for <vaclav.ovsik@xxxx>; Thu, 3 Jan 2008 16:42:22 +0100 (CET)
Received: from zombie.ncsc.mil (zombie.ncsc.mil [144.51.88.131])
by vidle.i.cz (Postfix) with ESMTP id 324E81CD00
for <vaclav.ovsik@xxxx>; Thu, 3 Jan 2008 16:42:22 +0100 (CET)
Received: from tarius.tycho.ncsc.mil (jazzdrum.ncsc.mil [144.51.5.7])
by zombie.ncsc.mil (8.12.10/8.12.10) with ESMTP id m03FWe1q014133;
Thu, 3 Jan 2008 15:33:37 GMT
Received: from tarius.tycho.ncsc.mil (tarius [127.0.0.1])
by tarius.tycho.ncsc.mil (8.13.1/8.13.1) with ESMTP id m03FW5HO001749;
Thu, 3 Jan 2008 10:32:05 -0500
Received: (from mail@localhost)
by tarius.tycho.ncsc.mil (8.13.1/8.13.1/Submit) id m03FW5JS001748;
Thu, 3 Jan 2008 10:32:05 -0500
X-Authentication-Warning: tarius.tycho.ncsc.mil: mail set sender to owner-selinux@xxxxxxxxxxxxx using -f
Received: from mummy.ncsc.mil (mummy.ncsc.mil [144.51.88.129])
by tarius.tycho.ncsc.mil (8.13.1/8.13.1) with ESMTP id m03FVwTt001729;
Thu, 3 Jan 2008 10:31:58 -0500
Received: from exchange.columbia.tresys.com (jazzhorn.ncsc.mil [144.51.5.9])
by mummy.ncsc.mil (8.12.10/8.12.10) with SMTP id m03FVvAY012147;
Thu, 3 Jan 2008 15:31:58 GMT
Received: from 10.1.13.190 ([10.1.13.190]) by exchange.columbia.tresys.com ([192.168.243.126]) with Microsoft Exchange Server HTTP-DAV ;
Thu, 3 Jan 2008 15:31:57 +0000
Received: from gorn by exchange.columbia.tresys.com; 03 Jan 2008 10:30:56 -0500
Subject: Re: Xorg modprobe denials
From: "Christopher J. PeBenito" <cpebenito@xxxxxxxxxx>
To: Martin Orr <martin@xxxxxxxxxxxxxx>
Cc: Stephen Smalley <sds@xxxxxxxxxxxxx>, Chris PeBenito <pebenito@xxxxxxxxxx>,
Eamon Walsh <ewalsh@xxxxxxxxxxxxx>,
SELinux List <selinux@xxxxxxxxxxxxx>
In-Reply-To: <476988ED.4070003@xxxxxxxxxxxxxx>
References: <47673B12.6040205@xxxxxxxxxxxxx>
<1197949627.4790.4.camel@xxxxxxxxxxxxxxxxxxxx>
<1197984841.7967.5.camel@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
<1197986223.7967.17.camel@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
<476988ED.4070003@xxxxxxxxxxxxxx>
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Organization: Tresys Technology, LLC
Date: Thu, 03 Jan 2008 10:30:56 -0500
Message-Id: <1199374256.12626.292.camel@xxxxxxxxxxxxxxxxxxxxxxxx>
Mime-Version: 1.0
X-Mailer: Evolution 2.12.2
Sender: owner-selinux@xxxxxxxxxxxxx
Precedence: bulk
X-Mailing-List: selinux-tycho.nsa.gov
X-OriginalArrivalTime: 03 Jan 2008 15:43:46.0467 (UTC) FILETIME=[6D4B6730:01C84E1F]
Status: RO
Content-Length: 1692
Lines: 45
On Wed, 2007-12-19 at 21:11 +0000, Martin Orr wrote:
> On 18/12/07 13:57, Stephen Smalley wrote:
> > On Tue, 2007-12-18 at 08:34 -0500, Stephen Smalley wrote:
> >> On Mon, 2007-12-17 at 22:47 -0500, Chris PeBenito wrote:
> >>> Based on the other kernel messages, I'm guessing that the insmod
> >>> succeeded despite the tty and capability denials? If so I suppose we
> >>> can dontaudit it.
> >> I don't think we want to dontaudit the capability denials.
> >
> > And just to note, denials from insmod can be triggered either by
> > userspace activity of insmod or by the module initialization code of the
> > loaded module.
>
> I find that on an SMP machine I need both the sys_nice capabability and
> setsched on kernel_t to load modules.
>
> This is because stop_machine() is called by sys_init_module(), so it makes
> sense to me to add these to kernel_load_module().
>
> Index: policy/modules/kernel/kernel.if
> ===================================================================
> --- policy/modules/kernel/kernel.if (revision 2560)
> +++ policy/modules/kernel/kernel.if (working copy)
> @@ -330,6 +330,9 @@
>
> allow $1 self:capability sys_module;
> typeattribute $1 can_load_kernmodule;
> +
> + allow $1 self:capability sys_nice;
> + kernel_setsched($1)
> ')
Are these rules are inherent to anything that loads a module or specific
to insmod? This patch only makes sense if its the former.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
--- End Message ---
--- Begin Message ---
>From owner-selinux@xxxxxxxxxxxxxxxxxxxxx Fri Jan 04 07:12:35 2008
Return-path: <owner-selinux@xxxxxxxxxxxxxxxxxxxxx>
Envelope-to: zito@localhost
Delivery-date: Fri, 04 Jan 2008 07:12:35 +0100
Received: from localhost.localdomain
([127.0.0.1] helo=bobek.localdomain ident=zito)
by bobek.localdomain with esmtp (Exim 4.63)
(envelope-from <owner-selinux@xxxxxxxxxxxxxxxxxxxxx>)
id 1JAfjJ-000266-LV
for zito@localhost; Fri, 04 Jan 2008 07:08:29 +0100
Received: from sprg11.i.cz [192.168.30.71]
by bobek.localdomain with IMAP (fetchmail-6.3.6)
for <zito@localhost> (single-drop); Fri, 04 Jan 2008 07:08:29 +0100 (CET)
Received: from sprg11.ad.i.cz ([192.168.30.71]) by sprg13.ad.i.cz with Microsoft SMTPSVC(6.0.3790.1830);
Thu, 3 Jan 2008 18:40:08 +0100
Received: from ns1.i.cz ([192.168.24.101]) by sprg11.ad.i.cz with Microsoft SMTPSVC(6.0.3790.1830);
Thu, 3 Jan 2008 18:40:08 +0100
Received: from localhost (localhost [127.0.0.1])
by ns1.i.cz (Postfix) with ESMTP id 3E8F4FE84
for <vaclav.ovsik@xxxx>; Thu, 3 Jan 2008 18:38:44 +0100 (CET)
X-Spam-Checker-Version: SpamAssassin 3.1.7-deb (2006-10-05) on ns1.i.cz
X-Virus-Scanned: Debian amavisd-new at ns1.i.cz
X-Spam-Score: -2.464
X-Spam-Level:
X-Spam-Status: No, score=-2.464 required=3.5 tests=[BAYES_00=-2.599,
FORGED_RCVD_HELO=0.135]
Received: from ns1.i.cz ([127.0.0.1])
by localhost (ns1.i.cz [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id WXAwRVu70WNo for <vaclav.ovsik@xxxx>;
Thu, 3 Jan 2008 18:38:44 +0100 (CET)
Received: from vidle.i.cz (brana1.i.cz [192.168.1.8])
by ns1.i.cz (Postfix) with ESMTP id E0576FE83
for <vaclav.ovsik@xxxx>; Thu, 3 Jan 2008 18:38:43 +0100 (CET)
Received: from mummy.ncsc.mil (mummy.ncsc.mil [144.51.88.129])
by vidle.i.cz (Postfix) with ESMTP id ABB481CC1C
for <vaclav.ovsik@xxxx>; Thu, 3 Jan 2008 18:38:43 +0100 (CET)
Received: from tarius.tycho.ncsc.mil (jazzhorn.ncsc.mil [144.51.5.9])
by mummy.ncsc.mil (8.12.10/8.12.10) with ESMTP id m03HRw6F020358;
Thu, 3 Jan 2008 17:29:26 GMT
Received: from tarius.tycho.ncsc.mil (tarius [127.0.0.1])
by tarius.tycho.ncsc.mil (8.13.1/8.13.1) with ESMTP id m03HQ9Ch011466;
Thu, 3 Jan 2008 12:26:09 -0500
Received: (from mail@localhost)
by tarius.tycho.ncsc.mil (8.13.1/8.13.1/Submit) id m03HQ9h6011465;
Thu, 3 Jan 2008 12:26:09 -0500
X-Authentication-Warning: tarius.tycho.ncsc.mil: mail set sender to owner-selinux@xxxxxxxxxxxxx using -f
Received: from zombie.ncsc.mil (zombie.ncsc.mil [144.51.88.131])
by tarius.tycho.ncsc.mil (8.13.1/8.13.1) with ESMTP id m03HPwEs011451;
Thu, 3 Jan 2008 12:25:58 -0500
Received: from mtaout02-winn.ispmail.ntl.com (jazzdrum.ncsc.mil [144.51.5.7])
by zombie.ncsc.mil (8.12.10/8.12.10) with ESMTP id m03HPujV025630;
Thu, 3 Jan 2008 17:25:57 GMT
Received: from aamtaout04-winn.ispmail.ntl.com ([81.103.221.35])
by mtaout02-winn.ispmail.ntl.com with ESMTP
id <20080103172656.ZYVO6054.mtaout02-winn.ispmail.ntl.com@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>;
Thu, 3 Jan 2008 17:26:56 +0000
Received: from [192.168.1.102] (really [82.18.189.14])
by aamtaout04-winn.ispmail.ntl.com with ESMTP
id <20080103172556.PZAW29112.aamtaout04-winn.ispmail.ntl.com@[192.168.1.102]>;
Thu, 3 Jan 2008 17:25:56 +0000
Received: from [127.0.0.1] (localhost [::ffff:127.0.0.1])
by caligula.martinorr.name with esmtp; Thu, 03 Jan 2008 17:25:52 +0000
id 0000000000129130.00000000477D1AA0.00000F06
Message-ID: <477D1A9D.7000900@xxxxxxxxxxxxxx>
Date: Thu, 03 Jan 2008 17:25:49 +0000
From: Martin Orr <martin@xxxxxxxxxxxxxx>
User-Agent: Mozilla-Thunderbird 2.0.0.9 (X11/20071230)
MIME-Version: 1.0
To: "Christopher J. PeBenito" <cpebenito@xxxxxxxxxx>
CC: Stephen Smalley <sds@xxxxxxxxxxxxx>, Chris PeBenito <pebenito@xxxxxxxxxx>,
Eamon Walsh <ewalsh@xxxxxxxxxxxxx>,
SELinux List <selinux@xxxxxxxxxxxxx>
Subject: Re: Xorg modprobe denials
References: <47673B12.6040205@xxxxxxxxxxxxx> <1197949627.4790.4.camel@xxxxxxxxxxxxxxxxxxxx> <1197984841.7967.5.camel@xxxxxxxxxxxxxxxxxxxxxxxxxxxx> <1197986223.7967.17.camel@xxxxxxxxxxxxxxxxxxxxxxxxxxxx> <476988ED.4070003@xxxxxxxxxxxxxx> <1199374256.12626.292.camel@xxxxxxxxxxxxxxxxxxxxxxxx>
In-Reply-To: <1199374256.12626.292.camel@xxxxxxxxxxxxxxxxxxxxxxxx>
X-Enigmail-Version: 0.95.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Sender: owner-selinux@xxxxxxxxxxxxx
Precedence: bulk
X-Mailing-List: selinux-tycho.nsa.gov
X-OriginalArrivalTime: 03 Jan 2008 17:40:08.0165 (UTC) FILETIME=[AEB5F950:01C84E2F]
Status: RO
Content-Length: 1816
Lines: 45
On 03/01/08 15:30, Christopher J. PeBenito wrote:
> On Wed, 2007-12-19 at 21:11 +0000, Martin Orr wrote:
>> On 18/12/07 13:57, Stephen Smalley wrote:
>>> On Tue, 2007-12-18 at 08:34 -0500, Stephen Smalley wrote:
>>>> On Mon, 2007-12-17 at 22:47 -0500, Chris PeBenito wrote:
>>>>> Based on the other kernel messages, I'm guessing that the insmod
>>>>> succeeded despite the tty and capability denials? If so I suppose we
>>>>> can dontaudit it.
>>>> I don't think we want to dontaudit the capability denials.
>>> And just to note, denials from insmod can be triggered either by
>>> userspace activity of insmod or by the module initialization code of the
>>> loaded module.
>> I find that on an SMP machine I need both the sys_nice capabability and
>> setsched on kernel_t to load modules.
>>
>> This is because stop_machine() is called by sys_init_module(), so it makes
>> sense to me to add these to kernel_load_module().
>>
>> Index: policy/modules/kernel/kernel.if
>> ===================================================================
>> --- policy/modules/kernel/kernel.if (revision 2560)
>> +++ policy/modules/kernel/kernel.if (working copy)
>> @@ -330,6 +330,9 @@
>>
>> allow $1 self:capability sys_module;
>> typeattribute $1 can_load_kernmodule;
>> +
>> + allow $1 self:capability sys_nice;
>> + kernel_setsched($1)
>> ')
>
> Are these rules are inherent to anything that loads a module or specific
> to insmod? This patch only makes sense if its the former.
>
It happens inside the init_module system call in the kernel, so anything
that loads a module needs it.
--
Martin Orr
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
--- End Message ---
