trunk: Module loading now requires setsched on kernel threads.

Changelog

@@ -1,3 +1,4 @@
+- Module loading now requires setsched on kernel threads.
 - Patch to allow gpg agent --write-env-file option from Vaclav Ovsik.
 - X application data class from Eamon Walsh and Ted Toth.
 - Move user roles into individual modules.

policy/modules/kernel/kernel.if

@@ -330,6 +330,11 @@ interface(`kernel_load_module',`
 
 	allow $1 self:capability sys_module;
 	typeattribute $1 can_load_kernmodule;
+
+	# load_module() calls stop_machine() which
+	# calls sched_setscheduler()
+	allow $1 self:capability sys_nice;
+	kernel_setsched($1)
 ')
 
 ########################################

policy/modules/kernel/kernel.te

@@ -1,5 +1,5 @@
 
-policy_module(kernel,1.9.1)
+policy_module(kernel,1.9.2)
 
 ########################################
 #

policy/modules/services/networkmanager.te

@@ -20,7 +20,7 @@ files_pid_file(NetworkManager_var_run_t)
 
 # networkmanager will ptrace itself if gdb is installed
 # and it receives a unexpected signal (rh bug #204161) 
-allow NetworkManager_t self:capability { kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service ipc_lock };
+allow NetworkManager_t self:capability { kill setgid setuid dac_override net_admin net_raw net_bind_service ipc_lock };
 dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace };
 allow NetworkManager_t self:process { ptrace setcap setpgid getsched signal_perms };
 allow NetworkManager_t self:fifo_file rw_fifo_file_perms;