attached is dmesg of the latest
Head giving me an avc denial that
is giving me an error with checkpolicy:
/usr/bin/checkpolicy -c 22 -U deny policy.conf -o policy.22
/usr/bin/checkpolicy: loading policy configuration from policy.conf
policy/modules/services/xserver.te":1138:ERROR 'permission
module_request is not defined for class system' at token ';' on line
2904222:
allow NetworkManager_t kernel_t:system module_request;
#============= NetworkManager_t ==============
policy/modules/services/xserver.te":1141:ERROR 'permission
module_request is not defined for class system' at token ';' on line
2904225:
#============= insmod_t ==============
allow insmod_t kernel_t:system module_request;
policy/modules/services/xserver.te":1144:ERROR 'permission
module_request is not defined for class system' at token ';' on line
2904228:
allow iptables_t kernel_t:system module_request;
#============= iptables_t ==============
checkpolicy: error(s) encountered while parsing configuration
make: *** [policy.22] Error 1
(please ignore the xserver.te, as a quick way using a monolithic
policy, I just randomly throw the allow rules anywhere, before
individually locating the right location).
here is what git bisect is showing me:
25354c4fee169710fd9da15f3bb2abaa24dcf933 is first bad commit
commit 25354c4fee169710fd9da15f3bb2abaa24dcf933
Author: Eric Paris <eparis@xxxxxxxxxx>
Date: Thu Aug 13 09:45:03 2009 -0400
SELinux: add selinux_kernel_module_request
This patch adds a new selinux hook so SELinux can arbitrate if a given
process should be allowed to trigger a request for the kernel to try to
load a module. This is a different operation than a process trying to load
a module itself, which is already protected by CAP_SYS_MODULE.
Signed-off-by: Eric Paris <eparis@xxxxxxxxxx>
Acked-by: Serge Hallyn <serue@xxxxxxxxxx>
Signed-off-by: James Morris <jmorris@xxxxxxxxx>
:040000 040000 0585d8667e7c54b9b3e07f419dc8eff62b32fe96
f63f56f137352a90a909d11d37e8f5462f4306ff M security
and FWIW git bisect log:
git bisect start
# bad: [332a3392188e0ad966543c87b8da2b9d246f301d] Merge
git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6
git bisect bad 332a3392188e0ad966543c87b8da2b9d246f301d
# good: [ed680c4ad478d0fee9740f7d029087f181346564] Linux 2.6.31-rc5
git bisect good ed680c4ad478d0fee9740f7d029087f181346564
# good: [f415c413f458837bd0c27086b79aca889f9435e4] Merge
git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6
git bisect good f415c413f458837bd0c27086b79aca889f9435e4
# good: [6a0f4021469727675b83d85ac91d106bfae0e2c3] Merge branch
'topic/dummy' into for-linus
git bisect good 6a0f4021469727675b83d85ac91d106bfae0e2c3
# bad: [a12e4d304ce701844c639541d90df86e165d03f9] Merge branch
'writeback' of git://git.kernel.dk/linux-2.6-block
git bisect bad a12e4d304ce701844c639541d90df86e165d03f9
# bad: [2490138cb785d299d898b579fa2874a59a3d321a] Merge branch
'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/roland/infiniband
git bisect bad 2490138cb785d299d898b579fa2874a59a3d321a
# bad: [9f0ab4a3f0fdb1ff404d150618ace2fa069bb2e1] binfmt_elf: fix
PT_INTERP bss handling
git bisect bad 9f0ab4a3f0fdb1ff404d150618ace2fa069bb2e1
# good: [896a6de40ef3814525632609799af909338f50c3] mm_for_maps: take
->cred_guard_mutex to fix the race with exec
git bisect good 896a6de40ef3814525632609799af909338f50c3
# bad: [0c2c9a3fc77e8b60d43d9bd2ca46eb4dddb0ff76] KEYS: Allow
keyctl_revoke() on keys that have SETATTR but not WRITE perm [try #6]
git bisect bad 0c2c9a3fc77e8b60d43d9bd2ca46eb4dddb0ff76
# bad: [ece13879e74313e62109e0755dd3d4f172df89e2] Merge branch
'master' into next
git bisect bad ece13879e74313e62109e0755dd3d4f172df89e2
# bad: [25354c4fee169710fd9da15f3bb2abaa24dcf933] SELinux: add
selinux_kernel_module_request
git bisect bad 25354c4fee169710fd9da15f3bb2abaa24dcf933
# good: [a8f80e8ff94ecba629542d9b4b5f5a8ee3eb565c] Networking: use
CAP_NET_ADMIN when deciding to call request_module
git bisect good a8f80e8ff94ecba629542d9b4b5f5a8ee3eb565c
# good: [9188499cdb117d86a1ea6b04374095b098d56936] security:
introducing security_request_module
git bisect good 9188499cdb117d86a1ea6b04374095b098d56936
The system is an LFS,
there is no proprietary modules
at all with this kernel.
I have another machine running
rc-8 and it seems to not be producing
this avc.(keep in mind it does have
two proprietary modules: nvidia wl).
--
Justin P. Mattock
Attachment:
dmesg
Description: Binary data
