Eric Paris wrote:
On Sat, 2009-09-12 at 16:46 -0700, Justin Mattock wrote:
On Sat, Sep 12, 2009 at 3:28 PM, Eric Paris<eparis@xxxxxxxxxx> wrote:
On Sat, 2009-09-12 at 15:09 -0700, Justin Mattock wrote:
attached is dmesg of the latest
Head giving me an avc denial that
is giving me an error with checkpolicy:
/usr/bin/checkpolicy -c 22 -U deny policy.conf -o policy.22
/usr/bin/checkpolicy: loading policy configuration from policy.conf
policy/modules/services/xserver.te":1138:ERROR 'permission
module_request is not defined for class system' at token ';' on line
2904222:
allow NetworkManager_t kernel_t:system module_request;
#============= NetworkManager_t ==============
policy/modules/services/xserver.te":1141:ERROR 'permission
module_request is not defined for class system' at token ';' on line
2904225:
#============= insmod_t ==============
allow insmod_t kernel_t:system module_request;
policy/modules/services/xserver.te":1144:ERROR 'permission
module_request is not defined for class system' at token ';' on line
It's because you are using the -U deny. You are telling the kernel to
deny unknown permissions and then you are trying to define an unknown
permission. There is nothing wrong with the kernel.
I do need to submit the policy path to define it, but that's not a good
idea until we know more or all of the places it is needed. I hoped to
work on that with dwalsh in rawhide before we push the policy patch
upstream. You can help there! In your base policy module you need to
define 'request_module' in the system class in
policy/flash/access_vectors rebuild and load the base policy policy
module. Then you can use the request_module permission.
-Eric
O.K. this was just a hit and a miss
(I don't know what I'm doing but am willing to try)
below fixes the error from checkpolicy,
but I'm not sure if it's correct.
From 4095a245f8a4a75d8ab2f94d816159d8b180ed1f Mon Sep 17 00:00:00 2001
From: Justin P. Mattock<justinmattock@xxxxxxxxx>
Date: Sat, 12 Sep 2009 16:42:06 -0700
Subject: [PATCH] add module_request support
Signed-off-by: Justin P. Mattock<justinmattock@xxxxxxxxx>
---
policy/flask/access_vectors | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index 3998b77..67ab292 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -349,6 +349,7 @@ class system
syslog_read
syslog_mod
syslog_console
+ module_request
}
Yes that is correct (outside of the fact you used eight spaces instead
of a tab)
But upstream should not commit this until a number of people have tried
to run kernels with it defined and flushed out some reasonable number of
the necessary allow rules (because just defining it will cause people
with -U allow to start getting denials).
-Eric
Hey alright.(id have to say a lucky
guess on my part).
In this case either you can take the
patch(If I need to redu it I will)
sign off on it, then store it somewhere
until people start hitting this
then go from there.
As a backup I'll leave it on my facebook
account(so I don't forget and loose it).
Overall Thanks for helping me on this.
Justin P. Mattock
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
