On Thu, 2008-05-22 at 14:29 +0200, Václav Ovsík wrote:
> while playing with current Debian Sid, Linux 2.6.25 I noticed, denials
> on modprobe:
>
> May 22 07:26:11 sid kernel: [ 9.195474] type=1400 audit(1211433957.144:3): avc: denied { sys_nice } for pid=801 comm="modprobe" capability=23 scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=capability
> May 22 07:26:11 sid kernel: [ 9.198362] type=1400 audit(1211433957.144:3): avc: denied { setsched } for pid=801 comm="modprobe" scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=process
>
> After a longer investigation with git-bisect I found, that above
> denials appeared after kernel commit:
> http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=85653af7d488702165eba72c6c1dd0250fae4e70
> A function stop_machine() (from kernel/stop_machine.c) was changed in
> this commit in such a way, that system calls init_module()
> & delete_module() needs sys_nice & setsched. I did'n try to understand
> code too much (consequences of this commit).
>
> I found in the history of SE Linux mailing list Martin Orr sent a patch
> already. (The correspondence attached.)
> The Martins patch is available at URL:
> http://www.martinorr.name/selinux/patches/151_module_setsched
I added that and comments as to why its needed.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
