From: nicolas.iooss@m4x.org (Nicolas Iooss)
Date: Tue,  8 Aug 2017 08:59:56 +0200
Subject: [refpolicy] [PATCH v2 1/1] Add module_load permission to self when
	loading modules is allowed
Message-ID: <20170808065956.10200-1-nicolas.iooss@m4x.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

When a program uses init_module() to load a module, the kernel checks
for system:load_module permission in the process type [1].
For example when systemd loads ip_tables modules (since
https://github.com/systemd/systemd/commit/1d3087978a8ee23107cb64aa55ca97aefe9531e2),
the following AVC denial gets reported:

    avc:  denied  { module_load } for  pid=1 comm="systemd"
    scontext=system_u:system_r:init_t tcontext=system_u:system_r:init_t
    tclass=system permissive=1

[1] The relevant kernel code is selinux_kernel_module_from_file() in
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/security/selinux/hooks.c?h=v4.11#n3836

    /* init_module */
    if (file == NULL)
        return avc_has_perm(sid, sid, SECCLASS_SYSTEM,
                    SYSTEM__MODULE_LOAD, NULL);

In this code, both source and target SIDs are current_sid().
---
 policy/modules/kernel/kernel.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 424a4b511262..e2d3073b4260 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -474,6 +474,7 @@ optional_policy(`
 
 if( ! secure_mode_insmod ) {
 	allow can_load_kernmodule self:capability sys_module;
+	allow can_load_kernmodule self:system module_load;
 
 	files_load_kernel_modules(can_load_kernmodule)
 
-- 
2.13.4