From: nicolas.iooss@m4x.org (Nicolas Iooss)
Date: Mon, 10 Jul 2017 22:23:39 +0200
Subject: [refpolicy] [PATCH 1/1] Add module_load permission to self when
	using files_load_kernel_modules
Message-ID: <20170710202339.18198-1-nicolas.iooss@m4x.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

When a program uses init_module() to load a module, the kernel checks
for system:load_module permission in the process type [1].
For example when systemd loads ip_tables modules (since
https://github.com/systemd/systemd/commit/1d3087978a8ee23107cb64aa55ca97aefe9531e2),
the following AVC denial gets reported:

    avc:  denied  { module_load } for  pid=1 comm="systemd"
    scontext=system_u:system_r:init_t tcontext=system_u:system_r:init_t
    tclass=system permissive=1

[1] The relevant kernel code is selinux_kernel_module_from_file() in
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/security/selinux/hooks.c?h=v4.11#n3836

    /* init_module */
    if (file == NULL)
        return avc_has_perm(sid, sid, SECCLASS_SYSTEM,
                    SYSTEM__MODULE_LOAD, NULL);

In this code, both source and target SIDs are current_sid().
---
 policy/modules/kernel/files.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index ac5714fd439c..593a9bb981cd 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -4431,7 +4431,7 @@ interface(`files_load_kernel_modules',`
 	')
 
 	files_read_kernel_modules($1)
-	allow $1 modules_object_t:system module_load;
+	allow $1 { $1 modules_object_t }:system module_load;
 ')
 
 ########################################
-- 
2.13.2