From: guido@trentalancia.net (Guido Trentalancia) Date: Sun, 07 Aug 2016 23:08:13 +0200 Subject: [refpolicy] [PATCH] Add module_load permission to can_load_kernmodule Message-ID: <1470604093.2822.5.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com The "module_load" permission has been recently added to the "system" class (kernel 4.7). The following patch updates the Reference Policy so that the new permission is allowed when a kernel module should be loaded. Signed-off-by: Guido Trentalancia --- policy/modules/kernel/kernel.te | 4 ++++ 1 file changed, 4 insertions(+) --- refpolicy-git-06082016-orig/policy/modules/kernel/kernel.te 2016-08-06 21:26:43.287774191 +0200 +++ refpolicy-git-06082016/policy/modules/kernel/kernel.te 2016-08-07 22:39:58.704800333 +0200 @@ -18,6 +18,7 @@ attribute can_receive_kernel_messages; attribute can_dump_kernel; neverallow ~can_load_kernmodule self:capability sys_module; +neverallow ~can_load_kernmodule modules_object_t:system module_load; # domains with unconfined access to kernel resources attribute kern_unconfined; @@ -216,6 +217,8 @@ allow kernel_t self:fd use; allow kernel_t debugfs_t:dir search_dir_perms; +allow kernel_t modules_object_t:system ~module_load; + allow kernel_t proc_t:dir list_dir_perms; allow kernel_t proc_t:file read_file_perms; allow kernel_t proc_t:lnk_file read_lnk_file_perms; @@ -428,6 +431,7 @@ optional_policy(` if( ! secure_mode_insmod ) { allow can_load_kernmodule self:capability sys_module; + allow can_load_kernmodule modules_object_t:system module_load; # load_module() calls stop_machine() which # calls sched_setscheduler()