From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Sat, 10 Oct 2015 09:17:47 +0200 Subject: [refpolicy] modules_object_t vs. modules_dep_t labeling In-Reply-To: <56166C61.8060008@tresys.com> References: <560D03C1.9060102@redhat.com> <20151005163442.GB21879@x250> <5612CCDC.3020900@tresys.com> <20151006112913.GB27034@x250> <20151006114612.GC27034@x250> <5615FB6B.5050404@redhat.com> <56166C61.8060008@tresys.com> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Thu, Oct 8, 2015 at 3:15 PM, Christopher J. PeBenito wrote: >> In Fedora, we removed all these transitions for modules_dep_t labeling >> and we go only with modules_object_t. If it works I can post patches. > > In an ideal world, the two types would still work fine, as we don't want > insmod to have the permissions for writing kernel modules. However, now > that depmod, insmod, etc. are all merged into a single binary, this > complicates things, since the policy doesn't necessarily know with > absolute certainty which tool kmod is acting as. Additionally, if kmod > is malfunctioning, it doesn't matter so much if it can write kernel > modules, since it can simply generate a kernel module in memory and > insert it (or load a module into memory from disk, alter it, and then > insert it). > > I guess that's my long-winded way of saying I'm on the fence but leaning > towards merging the types. In fact, it might make sense to simply make > a new kmod_t domain that aliases the old insmod and depmod domains, > entrypoints, etc. > > Does the Gentoo team have any opinion? We've had our share of kmod and mislabeling issues too. I'm in favour of merging the types as that would make it considerably easier to handle (now and in the future). Wkr, Sven Vermeulen