[refpolicy] [PATCH]: dontaudit sys_module wpa_supplicant
Russell Coker
russell at coker.com.au
Sun Mar 20 16:55:53 CDT 2011
On Mon, 21 Mar 2011, Guido Trentalancia <guido at trentalancia.com> wrote:
> > Sounds like we want to allow the wpa_suplicant to do this.
>
> Not everybody likes that to happen. And surely there must be a good
> reason for having a "neverallow" rule in kernel/kernel.te which blocks
> everything.
>
> See Bug#515136 on Debian but even more importantly Bug#684415 on Fedora.
That Debian bug isn't relevant.
Dan asked "Why would wpa_supplicant be loading kernel modules directly?". You
have answered that question in this discussion, you could include your answer
in the Red Hat Bugzilla if you want.
On Mon, 21 Mar 2011, Guido Trentalancia <guido at trentalancia.com> wrote:
> So unless Dan Walsh changes his mind there needs to be at least one
> ifdef (for DISTRO=redhat).
If Dan has expressed an opinion on this matter then please cite a reference.
Asking why something happens is a long way from stating an opinion that it
shouldn't be permitted.
> I am happy to prepare a patch which does can_load_kernmodule()/dontaudit
> depending on the distribution, but I need to hear from people with
> authority for each distribution. And Christopher should decide what
> would be the default behaviour.
You have already heard from me.
Don't get too bothered about getting support from different distributions, no-
one else worries much about such things.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
More information about the refpolicy
mailing list