From: dwalsh@redhat.com (Daniel J Walsh) Date: Sat, 10 Oct 2015 08:46:52 -0400 Subject: [refpolicy] modules_object_t vs. modules_dep_t labeling In-Reply-To: References: <560D03C1.9060102@redhat.com> <20151005163442.GB21879@x250> <5612CCDC.3020900@tresys.com> <20151006112913.GB27034@x250> <20151006114612.GC27034@x250> <5615FB6B.5050404@redhat.com> <56166C61.8060008@tresys.com> Message-ID: <561908BC.8090109@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 10/10/2015 03:17 AM, Sven Vermeulen wrote: > On Thu, Oct 8, 2015 at 3:15 PM, Christopher J. PeBenito > wrote: >>> In Fedora, we removed all these transitions for modules_dep_t labeling >>> and we go only with modules_object_t. If it works I can post patches. >> In an ideal world, the two types would still work fine, as we don't want >> insmod to have the permissions for writing kernel modules. However, now >> that depmod, insmod, etc. are all merged into a single binary, this >> complicates things, since the policy doesn't necessarily know with >> absolute certainty which tool kmod is acting as. Additionally, if kmod >> is malfunctioning, it doesn't matter so much if it can write kernel >> modules, since it can simply generate a kernel module in memory and >> insert it (or load a module into memory from disk, alter it, and then >> insert it). >> >> I guess that's my long-winded way of saying I'm on the fence but leaning >> towards merging the types. In fact, it might make sense to simply make >> a new kmod_t domain that aliases the old insmod and depmod domains, >> entrypoints, etc. >> >> Does the Gentoo team have any opinion? > We've had our share of kmod and mislabeling issues too. I'm in favour > of merging the types as that would make it considerably easier to > handle (now and in the future). > > Wkr, > Sven Vermeulen > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy This separation on types from a security difference has never made much of a difference and has caused mislabeling issues for years. I believe you should merge the types.