From 4416c416fa22560508e10e3f7cc27826503812e2 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: May 22 2008 18:39:03 +0000
Subject: trunk: Module loading now requires setsched on kernel threads.


---

diff --git a/Changelog b/Changelog
index be0be9e..155e0f0 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,4 @@
+- Module loading now requires setsched on kernel threads.
 - Patch to allow gpg agent --write-env-file option from Vaclav Ovsik.
 - X application data class from Eamon Walsh and Ted Toth.
 - Move user roles into individual modules.
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 66e8548..34e6292 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -330,6 +330,11 @@ interface(`kernel_load_module',`
 
 	allow $1 self:capability sys_module;
 	typeattribute $1 can_load_kernmodule;
+
+	# load_module() calls stop_machine() which
+	# calls sched_setscheduler()
+	allow $1 self:capability sys_nice;
+	kernel_setsched($1)
 ')
 
 ########################################
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 5478533..5d95440 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -1,5 +1,5 @@
 
-policy_module(kernel,1.9.1)
+policy_module(kernel,1.9.2)
 
 ########################################
 #
diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te
index 36188cc..7ebaa07 100644
--- a/policy/modules/services/networkmanager.te
+++ b/policy/modules/services/networkmanager.te
@@ -20,7 +20,7 @@ files_pid_file(NetworkManager_var_run_t)
 
 # networkmanager will ptrace itself if gdb is installed
 # and it receives a unexpected signal (rh bug #204161) 
-allow NetworkManager_t self:capability { kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service ipc_lock };
+allow NetworkManager_t self:capability { kill setgid setuid dac_override net_admin net_raw net_bind_service ipc_lock };
 dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace };
 allow NetworkManager_t self:process { ptrace setcap setpgid getsched signal_perms };
 allow NetworkManager_t self:fifo_file rw_fifo_file_perms;