From: pebenito@ieee.org (Chris PeBenito) Date: Sun, 6 Aug 2017 11:18:17 -0400 Subject: [refpolicy] [PATCH 1/1] Add module_load permission to self when using files_load_kernel_modules In-Reply-To: <20170710202339.18198-1-nicolas.iooss@m4x.org> References: <20170710202339.18198-1-nicolas.iooss@m4x.org> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 07/10/2017 04:23 PM, Nicolas Iooss via refpolicy wrote: > When a program uses init_module() to load a module, the kernel checks > for system:load_module permission in the process type [1]. > For example when systemd loads ip_tables modules (since > https://github.com/systemd/systemd/commit/1d3087978a8ee23107cb64aa55ca97aefe9531e2), > the following AVC denial gets reported: > > avc: denied { module_load } for pid=1 comm="systemd" > scontext=system_u:system_r:init_t tcontext=system_u:system_r:init_t > tclass=system permissive=1 > > [1] The relevant kernel code is selinux_kernel_module_from_file() in > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/security/selinux/hooks.c?h=v4.11#n3836 > > /* init_module */ > if (file == NULL) > return avc_has_perm(sid, sid, SECCLASS_SYSTEM, > SYSTEM__MODULE_LOAD, NULL); > > In this code, both source and target SIDs are current_sid(). This seems like it should instead be applied in kernel.te, in the can_load_kernmodule block. > --- > policy/modules/kernel/files.if | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if > index ac5714fd439c..593a9bb981cd 100644 > --- a/policy/modules/kernel/files.if > +++ b/policy/modules/kernel/files.if > @@ -4431,7 +4431,7 @@ interface(`files_load_kernel_modules',` > ') > > files_read_kernel_modules($1) > - allow $1 modules_object_t:system module_load; > + allow $1 { $1 modules_object_t }:system module_load; > ') > > ######################################## > -- Chris PeBenito