modutils: Dontaudit CAP_SYS_ADMIN checks for modprobe

The ttm module, a dependency of radeon/amdgpu, does some capable(CAP_SYS_ADMIN) checks. Changes in 4.13 have caused some of these checks to be executed during module initialization, in the context of modprobe, which fills the audit logs with a lot of denials. Since failing these capable() checks is not an issue (they merely control the access to emergency memory reserves, which shouldn't be an issue during boot), I'm dontauditing them. One potential issue with this is that if a module that actually needs CAP_SYS_ADMIN during initialization comes along later, the dontaudit is going to make the debugging a bit more annoying. Is anyone concerned about this?
2017-11-15 08:09:50 +01:00 · 2017-11-15 08:09:50 +01:00 · d5d8590e51
commit d5d8590e51
parent 96c917b41a
1 changed files with 2 additions and 0 deletions
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@ -37,6 +37,8 @@ ifdef(`init_systemd',`

 allow kmod_t self:capability { dac_override net_raw sys_nice sys_tty_config };
 allow kmod_t self:process { execmem sigchld sigkill sigstop signull signal };
+# for the radeon/amdgpu modules
+dontaudit kmod_t self:capability sys_admin;

 allow kmod_t self:udp_socket create_socket_perms;
 allow kmod_t self:rawip_socket create_socket_perms;