From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Mon, 5 Oct 2015 15:17:48 -0400
Subject: [refpolicy] modules_object_t vs. modules_dep_t labeling
In-Reply-To: <20151005163442.GB21879@x250>
References: <560D03C1.9060102@redhat.com> <20151005163442.GB21879@x250>
Message-ID: <5612CCDC.3020900@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 10/5/2015 12:34 PM, Dominick Grift wrote:
> On Thu, Oct 01, 2015 at 11:58:25AM +0200, Miroslav Grepl wrote:
>> We have more and more bugs with mislabeled /lib/modules/*/modules.dep*
>> files. There is a default label for them - modules_dep_t but we get them
>> labeled as modules_object_t. Yes, we can add filename transition rules
>> and also find a reason why they get wrong labeling (in progress).
> 
>> But is there a big advantage to have these two labels. At least I don't
>> see it from the policy point of view (sesearch).
> 
>> Thank you.
> 
> 
> Still not verified but:
> 
> /sbin/depmod is a link to /bin/kmod
> 
> So i suspect /bin/kmod now creates the modules_dep files via rpm_script_t %post and
> the /sbin/new_kernel_pkg shell script:
> 
> doDepmod() {
>     [ -n "$verbose" ] && echo "running depmod for $version"
>         depmod -ae -F /boot/System.map-$version $version
>         }
> 
> but because insmod_t is lacking the appropriate auto object type transitions and because insmod is
> unconfined, the files get created with the wrong label.
> 
> So you should copy the auto object type transition rules for modules_dep
> from depmod to insmod i suspect
> 
> I would not want insmod_t to be able to mess with module_object_t type
> files.
> 
> But yes, in Fedora insmod is unconfined...

Thanks for digging through this issue.  For the time being, we'll keep
what we have.  Miroslav, if the type transition Dominick suggests works,
then we can put it in refpolicy.


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com