kernel: Add dontaudits when secure_mode_insmod is enabled.

Signed-off-by: Chris PeBenito <pebenito@ieee.org>

policy/modules/kernel/files.if

@@ -4367,6 +4367,25 @@ interface(`files_load_kernel_modules',`
 	allow $1 modules_object_t:system module_load;
 ')
 
+########################################
+## <summary>
+##	Load kernel module files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_load_kernel_modules',`
+	gen_require(`
+		type modules_object_t;
+	')
+
+	dontaudit $1 modules_object_t:file read_file_perms;
+	dontaudit $1 modules_object_t:system module_load;
+')
+
 ########################################
 ## <summary>
 ##	List world-readable directories.

policy/modules/kernel/kernel.te

@@ -497,7 +497,20 @@ optional_policy(`
 # Kernel module loading policy
 #
 
-if( ! secure_mode_insmod ) {
+if(secure_mode_insmod) {
+	dontaudit can_load_kernmodule self:capability sys_module;
+	dontaudit can_load_kernmodule self:system module_load;
+
+	files_dontaudit_load_kernel_modules(can_load_kernmodule)
+
+	# load_module() calls stop_machine() which
+	# calls sched_setscheduler()
+	# gt: there seems to be no trace of the above, at
+	# least in kernel versions greater than 2.6.37...
+	dontaudit can_load_kernmodule self:capability sys_nice;
+	dontaudit can_load_kernmodule kernel_t:process setsched;
+	dontaudit can_load_kernmodule kernel_t:key search;
+} else {
 	allow can_load_kernmodule self:capability sys_module;
 	allow can_load_kernmodule self:system module_load;