On 07/11/2016 08:51 PM, YongQin Liu wrote: > > > On 11 July 2016 at 23:08, Stephen Smalley <[email protected] > <mailto:[email protected]>> wrote: > > On 07/07/2016 01:11 PM, YongQin Liu wrote: > > Hi, ALL > > > > When I try AOSP master with the hikey board, I see following sys_module > > denial on netd domain. > > > > avc: denied { sys_module } for pid=1775 comm="netd" capability=16 > > scontext=u:r:netd:s0 tcontext=u:r:netd:s0 tclass=capability > permissive=0 > > > > > > After some check, I found it was caused by "capable(CAP_SYS_MODULE)" > > call in dev_load method of the kernel net/core/dev_ioctl.c file here: > > > > > https://android.googlesource.com/kernel/hikey-linaro/+/refs/heads/android-hikey-linaro-4.4/net/core/dev_ioctl.c#371 > > > > > > When I comment the capable(CAP_SYS_MODULE) check, there is no > > sys_module denial output. > > > > I did not dig into the implementation of capable, but should not it just > > return false without the sys_module denial? > > Why would you expect it to do that? netd has CAP_SYS_MODULE in its > effective capability set, so you'll pass the capability module check but > will then fail the SELinux check if it is not allowed by policy. > > When it fail the SELinux check, it will output the avc denial like this: >> avc: denied { sys_module } for pid=1775 comm="netd" capability=16 >> scontext=u:r:netd:s0 tcontext=u:r:netd:s0 tclass=capability > permissive=0 > > And this will make people to think why this avc denial is caused, and > will check if there is something wrong in the source. > > So I think it's better to not show this avc denial during the check when > CAP_SYS_MODULE is not allowed.
Then add a dontaudit rule for it. _______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
