From: nicolas.iooss@m4x.org (Nicolas Iooss) Date: Tue, 8 Aug 2017 08:59:56 +0200 Subject: [refpolicy] [PATCH v2 1/1] Add module_load permission to self when loading modules is allowed Message-ID: <20170808065956.10200-1-nicolas.iooss@m4x.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com When a program uses init_module() to load a module, the kernel checks for system:load_module permission in the process type [1]. For example when systemd loads ip_tables modules (since https://github.com/systemd/systemd/commit/1d3087978a8ee23107cb64aa55ca97aefe9531e2), the following AVC denial gets reported: avc: denied { module_load } for pid=1 comm="systemd" scontext=system_u:system_r:init_t tcontext=system_u:system_r:init_t tclass=system permissive=1 [1] The relevant kernel code is selinux_kernel_module_from_file() in https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/security/selinux/hooks.c?h=v4.11#n3836 /* init_module */ if (file == NULL) return avc_has_perm(sid, sid, SECCLASS_SYSTEM, SYSTEM__MODULE_LOAD, NULL); In this code, both source and target SIDs are current_sid(). --- policy/modules/kernel/kernel.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te index 424a4b511262..e2d3073b4260 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -474,6 +474,7 @@ optional_policy(` if( ! secure_mode_insmod ) { allow can_load_kernmodule self:capability sys_module; + allow can_load_kernmodule self:system module_load; files_load_kernel_modules(can_load_kernmodule) -- 2.13.4