From: dwalsh@redhat.com (Daniel J Walsh)
Date: Fri, 07 Jan 2011 10:22:51 -0500
Subject: [refpolicy] udev and secure_mode_insmod in
 selinux-policy-3.9.7-10.fc14 and later
In-Reply-To: <4D26637F.9090503@catseye.org>
References: <4D26637F.9090503@catseye.org>
Message-ID: <4D272FCB.7010301@redhat.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/06/2011 07:51 PM, Mark Montague wrote:
> Under selinux-policy-3.9.7-7.fc14 and previous, udev was able to load 
> kernel modules even when secure_mode_insmod=on  Starting with the next 
> policy release, 3.9.7-10.fc14, this fails, resulting in the ethernet 
> device not being configured when the system boots; no denial is logged.
> 
> Setting secure_mode_insmod=off and rebooting results in a working 
> system, but allows other restricted domains to load kernel modules -- 
> which is a shame since I also have unconfined_login=off and 
> secure_mode=on.  So I added a local module with the following rule in 
> order to get the 3.9.7-7.fc14 behavior with secure_mode_insmod=on.  (The 
> seemingly superfluous enclosing "if" is needed to avoid a duplicate rule 
> error).
> 
>      if (secure_mode_insmod) {
>          modutils_domtrans_insmod_uncond(udev_t)
>      }
> 
> My question is:  what is the desired behavior for future policy 
> releases?  Should secure_mode_insmod=on affect udev as it currently does 
> under 3.9.7-10.fc14 and later?  (A literal reading of the description 
> for this boolean implies it should).  Or should a new boolean be added 
> (off by default) to allow administrators to have udev load kernel 
> modules even when secure_mode_insmod=on?  Or something else?
> 
> Apologies if this is actually a non-issue due to lack of understanding 
> on my end (but any education would be welcome in that case!)
> 
> --
>    Mark Montague
>    mark at catseye.org
> 
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 
> 
Lets ask this on refpolicy list, to see if we can get consensus
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk0nL8sACgkQrlYvE4MpobOqdgCdG4Vn8hVcg+qDSp3qPCp9gcpi
ikMAnjZzQU+F9xaqBB7ujZcdWpt+STsp
=M2Xx
-----END PGP SIGNATURE-----