diff options
| author |   Luis Ressel <aranea@aixah.de> | 2017-11-15 08:09:50 +0100 |
|---|---|---|
| committer |   Jason Zaman <jason@perfinion.com> | 2017-12-12 15:03:03 +0800 |
| commit | d57d7552847b31af63202cd5ecc83414a3a1aee8 (patch) | |
| tree | 596a8a9f82793ef01c05a6c9eafd7d7f0e97c0c0 | |
| parent | dmesg: Grant read access to /usr/share/terminfo (diff) | |
| download | hardened-refpolicy-d57d7552847b31af63202cd5ecc83414a3a1aee8.tar.gz hardened-refpolicy-d57d7552847b31af63202cd5ecc83414a3a1aee8.tar.bz2 hardened-refpolicy-d57d7552847b31af63202cd5ecc83414a3a1aee8.zip | |
modutils: Dontaudit CAP_SYS_ADMIN checks for modprobe
The ttm module, a dependency of radeon/amdgpu, does some
capable(CAP_SYS_ADMIN) checks. Changes in 4.13 have caused some of these
checks to be executed during module initialization, in the context of
modprobe, which fills the audit logs with a lot of denials.
Since failing these capable() checks is not an issue (they merely
control the access to emergency memory reserves, which shouldn't be an
issue during boot), I'm dontauditing them.
One potential issue with this is that if a module that actually needs
CAP_SYS_ADMIN during initialization comes along later, the dontaudit is
going to make the debugging a bit more annoying. Is anyone concerned
about this?
| -rw-r--r-- | policy/modules/system/modutils.te | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te index 982299898..1fef61284 100644 --- a/policy/modules/system/modutils.te +++ b/policy/modules/system/modutils.te @@ -38,6 +38,8 @@ ifdef(`init_systemd',` allow kmod_t self:capability { dac_override net_raw sys_nice sys_tty_config }; allow kmod_t self:process { execmem sigchld sigkill sigstop signull signal }; +# for the radeon/amdgpu modules +dontaudit kmod_t self:capability sys_admin; allow kmod_t self:udp_socket create_socket_perms; allow kmod_t self:rawip_socket create_socket_perms; |