FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora User

 
 
LinkBack Thread Tools
 
Old 11-19-2011, 01:42 PM
Ian Malone
 
Default systemd or selinux problem? CAP_SYS_MODULE/CAP_NET_ADMIN

Hi,

I've got quite a few of these during boot, anyone know what might be the cause?

Loading kernel module for a network device with CAP_SYS_MODULE (deprecated).
Use CAP_NET_ADMIN and alias X instead.

Where X includes netdev-snd_ice1724, netdev-snd_ac97_codec, netdev-fat,
netdev-vfat, netdev-bluetooth, netdev-nf_conntrack and others. Think
they may all be netdev-. I've tried an autorelabel in case it's a
labelling issue.

This is F15 64bit with:
kernel-2.6.40.8-3.bz731672.fc15.x86_64
kernel-2.6.41.1-1.fc15.x86_64
(both)
systemd-26-13.fc15.x86_64
selinux-policy-targeted-3.9.16-44.fc15.noarch
selinux-policy-3.9.16-44.fc15.noarch

$ getenforce
Enforcing

Thanks.
--
imalone
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 11-19-2011, 05:38 PM
Deron Meranda
 
Default systemd or selinux problem? CAP_SYS_MODULE/CAP_NET_ADMIN

On Sat, Nov 19, 2011 at 9:42 AM, Ian Malone <ibmalone@gmail.com> wrote:
> I've got quite a few of these during boot, anyone know what might be the cause?
>
> Loading kernel module for a network device with CAP_SYS_MODULE (deprecated).
> Use CAP_NET_ADMIN and alias X instead.
>
> Where X includes netdev-snd_ice1724, netdev-snd_ac97_codec, netdev-fat,
> netdev-vfat, netdev-bluetooth, netdev-nf_conntrack and others. Think
> they may all be netdev-. I've tried an autorelabel in case it's a
> labelling issue.

This sounds like neither a systemd nor an SELinux issue. Are you
seeing anything more specific, like an AVC error?

Anyway the CAP_* symbols refer to the kernel "capabilities" (do a man
capabilities). These are kernel-level security features, but unrelated
to SELinux.

The output of lsmod may also help somebody who's more familiar with this.


--
Deron Meranda
http://deron.meranda.us/
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 11-19-2011, 11:09 PM
Ian Malone
 
Default systemd or selinux problem? CAP_SYS_MODULE/CAP_NET_ADMIN

On 19 November 2011 18:38, Deron Meranda <deron.meranda@gmail.com> wrote:
> On Sat, Nov 19, 2011 at 9:42 AM, Ian Malone <ibmalone@gmail.com> wrote:
>> I've got quite a few of these during boot, anyone know what might be the cause?
>>
>> Loading kernel module for a network device with CAP_SYS_MODULE (deprecated).
>> Use CAP_NET_ADMIN and alias X instead.
>>
>> Where X includes netdev-snd_ice1724, netdev-snd_ac97_codec, netdev-fat,
>> netdev-vfat, netdev-bluetooth, netdev-nf_conntrack and others. Think
>> they may all be netdev-. I've tried an autorelabel in case it's a
>> labelling issue.
>
> This sounds like neither a systemd nor an SELinux issue. *Are you
> seeing anything more specific, like an AVC error?
>

No I'm not, two unrelated sealerts (gnome-session-check-accel,
/bin/mailx). I know there's a systemd unit (or appears to be) to load
kernel modules, I was wondering if this was responsible for attempting
to load these with the wrong context.

> Anyway the CAP_* symbols refer to the kernel "capabilities" (do a man
> capabilities). These are kernel-level security features, but unrelated
> to SELinux.
>

Interesting, thanks.

> The output of lsmod may also help somebody who's more familiar with this.
>
>

lsmod
Module Size Used by
sunrpc 200079 1
cpufreq_ondemand 5934 4
powernow_k8 21534 0
mperf 1449 1 powernow_k8
bnep 14635 2
bluetooth 191587 7 bnep
nf_conntrack_ipv4 8358 5
nf_defrag_ipv4 1513 1 nf_conntrack_ipv4
ip6t_REJECT 3992 2
nf_conntrack_ipv6 7730 5
nf_defrag_ipv6 9083 1 nf_conntrack_ipv6
xt_state 1306 10
nf_conntrack 67613 3 nf_conntrack_ipv4,nf_conntrack_ipv6,xt_state
ip6table_filter 1655 1
ip6_tables 16908 1 ip6table_filter
scsi_wait_scan 789 0
arc4 1417 2
rt2500pci 16085 0
rt2x00pci 5768 1 rt2500pci
rt2x00lib 46198 2 rt2500pci,rt2x00pci
mac80211 247272 2 rt2x00pci,rt2x00lib
nvidia 11693990 40
vfat 8616 1
fat 44881 1 vfat
snd_ice1724 113708 2
snd_ice17xx_ak4xxx 2720 1 snd_ice1724
snd_ac97_codec 115725 1 snd_ice1724
ac97_bus 1314 1 snd_ac97_codec
snd_ak4xxx_adda 8120 2 snd_ice1724,snd_ice17xx_ak4xxx
snd_ak4114 7843 1 snd_ice1724
snd_pt2258 3048 1 snd_ice1724
snd_i2c 4582 2 snd_ice1724,snd_pt2258
snd_ak4113 7726 1 snd_ice1724
snd_usb_audio 104267 1
snd_seq 52322 0
snd_pcm 78520 5
snd_ice1724,snd_ac97_codec,snd_ak4114,snd_ak4113,s nd_usb_audio
uvcvideo 57089 0
videodev 72120 1 uvcvideo
fuse 62445 5
snd_hwdep 6328 1 snd_usb_audio
forcedeth 47520 0
media 11611 2 uvcvideo,videodev
snd_usbmidi_lib 18087 1 snd_usb_audio
cfg80211 148145 2 rt2x00lib,mac80211
snd_timer 19372 2 snd_seq,snd_pcm
snd_rawmidi 20208 2 snd_ice1724,snd_usbmidi_lib
snd_seq_device 5941 2 snd_seq,snd_rawmidi
joydev 9615 0
v4l2_compat_ioctl32 7377 1 videodev
snd 63380 21
snd_ice1724,snd_ac97_codec,snd_ak4xxx_adda,snd_ak4 114,snd_pt2258,snd_i2c,snd_ak4113,snd_usb_audio,sn d_seq,snd_pcm,snd_hwdep,snd_usbmidi_lib,snd_timer, snd_rawmidi,snd_seq_device
xpad 10582 0
nv_tco 5352 0
i2c_nforce2 5918 0
asus_atk0110 12395 0
rfkill 16436 4 bluetooth,cfg80211
k10temp 3295 0
i2c_core 25712 3 nvidia,videodev,i2c_nforce2
soundcore 6267 1 snd
eeprom_93cx6 1647 1 rt2500pci
snd_page_alloc 7343 1 snd_pcm
ppdev 7508 0
parport_pc 21184 0
parport 32342 2 ppdev,parport_pc
edac_core 40186 0
edac_mce_amd 13234 0
microcode 18587 0
ipv6 284762 41 ip6t_REJECT,nf_conntrack_ipv6,nf_defrag_ipv6
ata_generic 3635 0
pata_amd 11200 3
pata_acpi 3419 0
sata_nv 20272 1

Modules not affected by this:
cpufreq_ondemand
nf_conntrack_ipv4
nf_conntrack_ipv6
snd_ice17xx_ak4xxx
snd_rawmidi
snd_seq_device
joydev
v4l2_compat_ioctl32
xpad
nv_tco
i2c_nforce2
asus_atk0110
rfkill
k10temp
i2c_core
soundcore
eeprom_93cx6
snd_page_alloc
ppdev
parport_pc
parport
edac_core
edac_mce_amd
microcode
ata_generic
pata_amd
pata_acpi
sata_nv

Modules complained about (with netdev- prefix):
ac97_bus
arc4
bluetooth
bnep
cfg80211
fat
forcedeth
fuse
ip6table_filter
ip6_tables
ip6t_REJECT
mac80211
media
mperf
nf_conntrack
nf_defrag_ipv4
nf_defrag_ipv6
nvidia
powernow_k8
rt2500pci
rt2x00lib
rt2x00pci
scsi_wait_scan
snd
snd_ac97_codec
snd_ak4113
snd_ak4114
snd_ak4xxx_adda
snd_hwdep
snd_i2c
snd_ice1724
snd_pcm
snd_pt2258
snd_seq
snd_timer
snd_usb_audio
snd_usbmidi_lib
sunrpc
uvcvideo
vfat
videodev
xt_state

--
imalone
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 11-22-2011, 10:07 PM
Ian Malone
 
Default systemd or selinux problem? CAP_SYS_MODULE/CAP_NET_ADMIN

On 20 November 2011 00:09, Ian Malone <ibmalone@gmail.com> wrote:
> On 19 November 2011 18:38, Deron Meranda <deron.meranda@gmail.com> wrote:
>> On Sat, Nov 19, 2011 at 9:42 AM, Ian Malone <ibmalone@gmail.com> wrote:
>>> I've got quite a few of these during boot, anyone know what might be the cause?
>>>
>>> Loading kernel module for a network device with CAP_SYS_MODULE (deprecated).
>>> Use CAP_NET_ADMIN and alias X instead.
>>>
>>> Where X includes netdev-snd_ice1724, netdev-snd_ac97_codec, netdev-fat,
>>> netdev-vfat, netdev-bluetooth, netdev-nf_conntrack and others. Think
>>> they may all be netdev-. I've tried an autorelabel in case it's a
>>> labelling issue.
>>
>> This sounds like neither a systemd nor an SELinux issue. *Are you
>> seeing anything more specific, like an AVC error?
>>
>
> No I'm not, two unrelated sealerts (gnome-session-check-accel,
> /bin/mailx). I know there's a systemd unit (or appears to be) to load
> kernel modules, I was wondering if this was responsible for attempting
> to load these with the wrong context.
>
>> Anyway the CAP_* symbols refer to the kernel "capabilities" (do a man
>> capabilities). These are kernel-level security features, but unrelated
>> to SELinux.
>>
>
> Interesting, thanks.

If anyone else encounters this or a similar issue it was caused by a
broken udev rule. To work around this bug
https://bugzilla.redhat.com/show_bug.cgi?id=753648 I had the following
rule, but with a spurious newline:
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="rt2500pci", KERNEL=="wlan*",
RUN="/sbin/iw $name set power_save off"

rather than
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="rt2500pci",
KERNEL=="wlan*", RUN="/sbin/iw $name set power_save off"

--
imalone
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 

Thread Tools




All times are GMT. The time now is 07:29 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org