When a program uses init_module() to load a module, the kernel checks
for system:load_module permission in the process type [1].
For example when systemd loads ip_tables modules (since
https://github.com/systemd/systemd/commit/1d3087978a8ee23107cb64aa55ca97aefe9531e2),
the following AVC denial gets reported:
avc: denied { module_load } for pid=1 comm="systemd"
scontext=system_u:system_r:init_t tcontext=system_u:system_r:init_t
tclass=system permissive=1
[1] The relevant kernel code is selinux_kernel_module_from_file() in
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/security/selinux/hooks.c?h=v4.11#n3836
/* init_module */
if (file == NULL)
return avc_has_perm(sid, sid, SECCLASS_SYSTEM,
SYSTEM__MODULE_LOAD, NULL);
In this code, both source and target SIDs are current_sid().
---
policy/modules/kernel/files.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index ac5714fd439c..593a9bb981cd 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -4431,7 +4431,7 @@ interface(`files_load_kernel_modules',`
')
files_read_kernel_modules($1)
- allow $1 modules_object_t:system module_load;
+ allow $1 { $1 modules_object_t }:system module_load;
')
########################################
--
2.13.2
On 07/10/2017 04:23 PM, Nicolas Iooss via refpolicy wrote:
> When a program uses init_module() to load a module, the kernel checks
> for system:load_module permission in the process type [1].
> For example when systemd loads ip_tables modules (since
> https://github.com/systemd/systemd/commit/1d3087978a8ee23107cb64aa55ca97aefe9531e2),
> the following AVC denial gets reported:
>
> avc: denied { module_load } for pid=1 comm="systemd"
> scontext=system_u:system_r:init_t tcontext=system_u:system_r:init_t
> tclass=system permissive=1
>
> [1] The relevant kernel code is selinux_kernel_module_from_file() in
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/security/selinux/hooks.c?h=v4.11#n3836
>
> /* init_module */
> if (file == NULL)
> return avc_has_perm(sid, sid, SECCLASS_SYSTEM,
> SYSTEM__MODULE_LOAD, NULL);
>
> In this code, both source and target SIDs are current_sid().
This seems like it should instead be applied in kernel.te, in the
can_load_kernmodule block.
> ---
> policy/modules/kernel/files.if | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
> index ac5714fd439c..593a9bb981cd 100644
> --- a/policy/modules/kernel/files.if
> +++ b/policy/modules/kernel/files.if
> @@ -4431,7 +4431,7 @@ interface(`files_load_kernel_modules',`
> ')
>
> files_read_kernel_modules($1)
> - allow $1 modules_object_t:system module_load;
> + allow $1 { $1 modules_object_t }:system module_load;
> ')
>
> ########################################
>
--
Chris PeBenito