From: pebenito@ieee.org (Chris PeBenito)
Date: Tue, 8 Aug 2017 20:03:26 -0400
Subject: [refpolicy] [PATCH v2 1/1] Add module_load permission to self
 when loading modules is allowed
In-Reply-To: <20170808065956.10200-1-nicolas.iooss@m4x.org>
References: <20170808065956.10200-1-nicolas.iooss@m4x.org>
Message-ID: <142b7928-8d41-f552-a471-73cb2707832a@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 08/08/2017 02:59 AM, Nicolas Iooss via refpolicy wrote:
> When a program uses init_module() to load a module, the kernel checks
> for system:load_module permission in the process type [1].
> For example when systemd loads ip_tables modules (since
> https://github.com/systemd/systemd/commit/1d3087978a8ee23107cb64aa55ca97aefe9531e2),
> the following AVC denial gets reported:
>
>     avc:  denied  { module_load } for  pid=1 comm="systemd"
>     scontext=system_u:system_r:init_t tcontext=system_u:system_r:init_t
>     tclass=system permissive=1
>
> [1] The relevant kernel code is selinux_kernel_module_from_file() in
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/security/selinux/hooks.c?h=v4.11#n3836
>
>     /* init_module */
>     if (file == NULL)
>         return avc_has_perm(sid, sid, SECCLASS_SYSTEM,
>                     SYSTEM__MODULE_LOAD, NULL);
>
> In this code, both source and target SIDs are current_sid().
> ---
>  policy/modules/kernel/kernel.te | 1 +
>  1 file changed, 1 insertion(+)
>
> diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
> index 424a4b511262..e2d3073b4260 100644
> --- a/policy/modules/kernel/kernel.te
> +++ b/policy/modules/kernel/kernel.te
> @@ -474,6 +474,7 @@ optional_policy(`
>
>  if( ! secure_mode_insmod ) {
>  	allow can_load_kernmodule self:capability sys_module;
> +	allow can_load_kernmodule self:system module_load;
>
>  	files_load_kernel_modules(can_load_kernmodule)

Merged.

-- 
Chris PeBenito