From: Daniel J Walsh <dwalsh@redhat.com>
To: Justin Mattock <justinmattock@gmail.com>
Cc: SE-Linux <selinux@tycho.nsa.gov>,
tresys <refpolicy@oss.tresys.com>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Subject: Re: [refpolicy] ath9k capability=16 won't compile into policy
Date: Thu, 18 Dec 2008 11:45:01 -0500 [thread overview]
Message-ID: <494A7E0D.6050200@redhat.com> (raw)
In-Reply-To: <dd18b0c30812161426l678b4bcx104efd63797c162d@mail.gmail.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Justin Mattock wrote:
> I'm not too sure if I should post this with SELinux,
> refpolicy, or kernel.org,(or even wpasupplicant);
> so I decided to do all to the best of my knowledge.
> when using the ath9k module with the latest git
> kernel(or atleast a few days old); and the latest refpolicy (svn)
> I'm seeing this avc denial show up:
>
> Dec 16 12:33:32 name kernel: [ 20.415785] type=1400
> audit(1229459612.411:3): avc: denied { sys_module } for pid=2510
> comm="wpa_supplicant" capability=16
> scontext=system_u:system_r:system_dbusd_t:s0
> tcontext=system_u:system_r:system_dbusd_t:s0 tclass=capability
> Dec 16 12:33:32 name kernel: [ 20.428494] type=1300
> audit(1229459612.411:3): arch=40000003 syscall=54 success=no exit=-19
> a0=9 a1=8933 a2=bfadd94c a3=bfadd94c items=0 ppid=1 pid=2510
> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=(none) ses=4294967295 comm="wpa_supplicant"
> exe="/sbin/wpa_supplicant" subj=system_u:system_r:system_dbusd_t:s0
> key=(null)
>
> the allow rule is:(with ath9k module)
> allow system_dbusd_t self:capability sys_module;
> which in turn will be rejected by checkpolicy
> (capability 16)
> when compiling the policy.
>
> If I use the madwifi module the avc is similar but produces
> allow system_dbusd_t self:capability { sys_admin }
> (capability 12)
> and will be accepted by checkpolicy.
>
> As for setup I'm using NetworkManager from
> intrepid as well as wpasupplicant
>
> Any info would be appreciated so I can test this module out
> and feel better knowing the module is not being denied in any
> way, that might cause a false positive, or some other weirdness.
>
>
> regards;
We label wpa_supplicant as NetworkManager_exec_t and have dbus
transition to this domain.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAklKfg0ACgkQrlYvE4MpobPltQCfbcRlboJohHcUaUaASFMbj1LK
/9AAoNPuDJuPv3B4tpikLzsjUPYCUe4I
=Nozo
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
WARNING: multiple messages have this Message-ID (diff)
From: dwalsh@redhat.com (Daniel J Walsh)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] ath9k capability=16 won't compile into policy
Date: Thu, 18 Dec 2008 11:45:01 -0500 [thread overview]
Message-ID: <494A7E0D.6050200@redhat.com> (raw)
In-Reply-To: <dd18b0c30812161426l678b4bcx104efd63797c162d@mail.gmail.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Justin Mattock wrote:
> I'm not too sure if I should post this with SELinux,
> refpolicy, or kernel.org,(or even wpasupplicant);
> so I decided to do all to the best of my knowledge.
> when using the ath9k module with the latest git
> kernel(or atleast a few days old); and the latest refpolicy (svn)
> I'm seeing this avc denial show up:
>
> Dec 16 12:33:32 name kernel: [ 20.415785] type=1400
> audit(1229459612.411:3): avc: denied { sys_module } for pid=2510
> comm="wpa_supplicant" capability=16
> scontext=system_u:system_r:system_dbusd_t:s0
> tcontext=system_u:system_r:system_dbusd_t:s0 tclass=capability
> Dec 16 12:33:32 name kernel: [ 20.428494] type=1300
> audit(1229459612.411:3): arch=40000003 syscall=54 success=no exit=-19
> a0=9 a1=8933 a2=bfadd94c a3=bfadd94c items=0 ppid=1 pid=2510
> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=(none) ses=4294967295 comm="wpa_supplicant"
> exe="/sbin/wpa_supplicant" subj=system_u:system_r:system_dbusd_t:s0
> key=(null)
>
> the allow rule is:(with ath9k module)
> allow system_dbusd_t self:capability sys_module;
> which in turn will be rejected by checkpolicy
> (capability 16)
> when compiling the policy.
>
> If I use the madwifi module the avc is similar but produces
> allow system_dbusd_t self:capability { sys_admin }
> (capability 12)
> and will be accepted by checkpolicy.
>
> As for setup I'm using NetworkManager from
> intrepid as well as wpasupplicant
>
> Any info would be appreciated so I can test this module out
> and feel better knowing the module is not being denied in any
> way, that might cause a false positive, or some other weirdness.
>
>
> regards;
We label wpa_supplicant as NetworkManager_exec_t and have dbus
transition to this domain.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAklKfg0ACgkQrlYvE4MpobPltQCfbcRlboJohHcUaUaASFMbj1LK
/9AAoNPuDJuPv3B4tpikLzsjUPYCUe4I
=Nozo
-----END PGP SIGNATURE-----
WARNING: multiple messages have this Message-ID (diff)
From: Daniel J Walsh <dwalsh@redhat.com>
To: Justin Mattock <justinmattock@gmail.com>
Cc: SE-Linux <selinux@tycho.nsa.gov>,
tresys <refpolicy@oss.tresys.com>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Subject: Re: [refpolicy] ath9k capability=16 won't compile into policy
Date: Thu, 18 Dec 2008 11:45:01 -0500 [thread overview]
Message-ID: <494A7E0D.6050200@redhat.com> (raw)
In-Reply-To: <dd18b0c30812161426l678b4bcx104efd63797c162d@mail.gmail.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Justin Mattock wrote:
> I'm not too sure if I should post this with SELinux,
> refpolicy, or kernel.org,(or even wpasupplicant);
> so I decided to do all to the best of my knowledge.
> when using the ath9k module with the latest git
> kernel(or atleast a few days old); and the latest refpolicy (svn)
> I'm seeing this avc denial show up:
>
> Dec 16 12:33:32 name kernel: [ 20.415785] type=1400
> audit(1229459612.411:3): avc: denied { sys_module } for pid=2510
> comm="wpa_supplicant" capability=16
> scontext=system_u:system_r:system_dbusd_t:s0
> tcontext=system_u:system_r:system_dbusd_t:s0 tclass=capability
> Dec 16 12:33:32 name kernel: [ 20.428494] type=1300
> audit(1229459612.411:3): arch=40000003 syscall=54 success=no exit=-19
> a0=9 a1=8933 a2=bfadd94c a3=bfadd94c items=0 ppid=1 pid=2510
> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=(none) ses=4294967295 comm="wpa_supplicant"
> exe="/sbin/wpa_supplicant" subj=system_u:system_r:system_dbusd_t:s0
> key=(null)
>
> the allow rule is:(with ath9k module)
> allow system_dbusd_t self:capability sys_module;
> which in turn will be rejected by checkpolicy
> (capability 16)
> when compiling the policy.
>
> If I use the madwifi module the avc is similar but produces
> allow system_dbusd_t self:capability { sys_admin }
> (capability 12)
> and will be accepted by checkpolicy.
>
> As for setup I'm using NetworkManager from
> intrepid as well as wpasupplicant
>
> Any info would be appreciated so I can test this module out
> and feel better knowing the module is not being denied in any
> way, that might cause a false positive, or some other weirdness.
>
>
> regards;
We label wpa_supplicant as NetworkManager_exec_t and have dbus
transition to this domain.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAklKfg0ACgkQrlYvE4MpobPltQCfbcRlboJohHcUaUaASFMbj1LK
/9AAoNPuDJuPv3B4tpikLzsjUPYCUe4I
=Nozo
-----END PGP SIGNATURE-----
next prev parent reply other threads:[~2008-12-18 16:45 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-12-16 22:26 ath9k capability=16 won't compile into policy Justin Mattock
2008-12-16 22:26 ` Justin Mattock
2008-12-16 22:26 ` [refpolicy] " Justin Mattock
2008-12-17 12:59 ` Stephen Smalley
2008-12-17 12:59 ` [refpolicy] " Stephen Smalley
2008-12-17 15:11 ` Justin P. Mattock
2008-12-17 15:11 ` [refpolicy] " Justin P. Mattock
2008-12-19 20:06 ` Justin P. Mattock
2008-12-19 20:06 ` [refpolicy] " Justin P. Mattock
2008-12-18 16:45 ` Daniel J Walsh [this message]
2008-12-18 16:45 ` Daniel J Walsh
2008-12-18 16:45 ` Daniel J Walsh
2008-12-18 17:43 ` Justin P. Mattock
2008-12-18 17:43 ` Justin P. Mattock
2008-12-18 17:43 ` Justin P. Mattock
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=494A7E0D.6050200@redhat.com \
--to=dwalsh@redhat.com \
--cc=justinmattock@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=refpolicy@oss.tresys.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.