SELinux Mailing List - NSA/CSS

Skip All Menus Skip Top Menu

Top Navigation Menus

Skip Research Menus

Research Menu

Research Security Enhanced Linux What's New Frequently Asked Questions Background Documents License Download Participating Mail List Archives Remaining Work Contributors Related Work Press Releases Information Assurance Research NIARL In-house Research Areas Mathematical Sciences Program Sabbaticals Computer & Information Sciences Research Technology Transfer Advanced Computing Advanced Mathematics Communications & Networking Information Processing Microelectronics Other Technologies Technology Fact Sheets Publications Related Links	Skip Search Box Searchbox SELinux Mailing List Re: Xorg modprobe denials This message: [ Message body ] [ More options ] Related messages: [ Next message ] [ Previous message ] [ In reply to ] [ Next in thread ] [ Replies ] From: Martin Orr <martin_at_martinorr.name> Date: Thu, 03 Jan 2008 17:25:49 +0000 On 03/01/08 15:30, Christopher J. PeBenito wrote: > On Wed, 2007-12-19 at 21:11 +0000, Martin Orr wrote: >> On 18/12/07 13:57, Stephen Smalley wrote: >>> On Tue, 2007-12-18 at 08:34 -0500, Stephen Smalley wrote: >>>> On Mon, 2007-12-17 at 22:47 -0500, Chris PeBenito wrote: >>>>> Based on the other kernel messages, I'm guessing that the insmod >>>>> succeeded despite the tty and capability denials? If so I suppose we >>>>> can dontaudit it. >>>> I don't think we want to dontaudit the capability denials. >>> And just to note, denials from insmod can be triggered either by >>> userspace activity of insmod or by the module initialization code of the >>> loaded module. >> I find that on an SMP machine I need both the sys_nice capabability and >> setsched on kernel_t to load modules. >> >> This is because stop_machine() is called by sys_init_module(), so it makes >> sense to me to add these to kernel_load_module(). >> >> Index: policy/modules/kernel/kernel.if >> =================================================================== >> --- policy/modules/kernel/kernel.if (revision 2560) >> +++ policy/modules/kernel/kernel.if (working copy) >> @@ -330,6 +330,9 @@ >> >> allow $1 self:capability sys_module; >> typeattribute $1 can_load_kernmodule; >> + >> + allow $1 self:capability sys_nice; >> + kernel_setsched($1) >> ') > > Are these rules are inherent to anything that loads a module or specific > to insmod? This patch only makes sense if its the former. > It happens inside the init_module system call in the kernel, so anything that loads a module needs it. -- Martin Orr -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. Received on Thu 3 Jan 2008 - 12:26:13 EST This message: [ Message body ] Next message: Paul Moore: "[RFC PATCH v10 02/20] NetLabel: Cleanup the LSM domain hash functions" Previous message: Christopher J. PeBenito: "Re: [PATCH] REFPOL: Add new object classes and permissions for labeled networking" In reply to: Christopher J. PeBenito: "Re: Xorg modprobe denials" Next in thread: Václav Ovsík: "refpolicy: syscall init_module needs sys_nice & setsched" Reply: Václav Ovsík: "refpolicy: syscall init_module needs sys_nice & setsched" Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]
	Date Posted: Jan 15, 2009 \| Last Modified: Jan 15, 2009 \| Last Reviewed: Jan 15, 2009

bottom