From: aranea@aixah.de (Luis Ressel)
Date: Sat, 9 Nov 2013 14:32:09 +0100
Subject: [refpolicy] kmod
Message-ID: <20131109143209.2fe65eb6@gentp.lnet>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Hi,

I'm experiencing a problem with the kernel's "make modules_install".
The old modutils had different binaries for modprobe, lsmod, depmod
etc, but its successor kmod only has one multi-call binary with several
symlinks to it.

The system/modutils part of refpolicy has two separate application
domains, insmod_t (for the various module-loading commands) and
depmod_t (for depmod, invoked only during compilation). Only the latter
is allowed to write module_dep_t files.

But when using kmod, /sbin/depmod is only a symlink to /bin/kmod.
Therefore it runs in the insmod_t domain and isn't allowed to write
module_dep_t files.

I see three possible solutions:
1) Unify the insmod_t and depmod_t domains (problem: weakens protection)
2) Patch kmod to be selinux-aware and choose the appropriate domain
    (problems: also requires policy changes, upstream might be
    uninterested in including the patches)
3) Make /sbin/depmod a wrapper instead of a symlink.

Which way would you go? I'm leaning towards option 3.

Regards,
Luis Ressel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20131109/dd9e207b/attachment.bin