From: dac.override@gmail.com (Dominick Grift) Date: Thu, 10 Aug 2017 17:11:42 +0200 Subject: [refpolicy] [PATCH v2 1/1] Add module_load permission to self when loading modules is allowed In-Reply-To: <1502384990.5184.2.camel@trentalancia.com> References: <20170808065956.10200-1-nicolas.iooss@m4x.org> <142b7928-8d41-f552-a471-73cb2707832a@ieee.org> <1502384990.5184.2.camel@trentalancia.com> Message-ID: <20170810151142.GA29463@julius.enp8s0.d30> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Thu, Aug 10, 2017 at 07:09:50PM +0200, Guido Trentalancia via refpolicy wrote: > On Tue, 08/08/2017 at 20.03 -0400, Chris PeBenito via > refpolicy wrote: > > On 08/08/2017 02:59 AM, Nicolas Iooss via refpolicy wrote: > > > When a program uses init_module() to load a module, the kernel > > > checks > > > for system:load_module permission in the process type [1]. > > > For example when systemd loads ip_tables modules (since > > > https://github.com/systemd/systemd/commit/1d3087978a8ee23107cb64aa5 > > > 5ca97aefe9531e2), > > > the following AVC denial gets reported: > > > > > > avc: denied { module_load } for pid=1 comm="systemd" > > > scontext=system_u:system_r:init_t > > > tcontext=system_u:system_r:init_t > > > tclass=system permissive=1 > > > > > > [1] The relevant kernel code is selinux_kernel_module_from_file() > > > in > > > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ > > > tree/security/selinux/hooks.c?h=v4.11#n3836 > > > > > > /* init_module */ > > > if (file == NULL) > > > return avc_has_perm(sid, sid, SECCLASS_SYSTEM, > > > SYSTEM__MODULE_LOAD, NULL); > > > > > > In this code, both source and target SIDs are current_sid(). > > > --- > > > policy/modules/kernel/kernel.te | 1 + > > > 1 file changed, 1 insertion(+) > > > > > > diff --git a/policy/modules/kernel/kernel.te > > > b/policy/modules/kernel/kernel.te > > > index 424a4b511262..e2d3073b4260 100644 > > > --- a/policy/modules/kernel/kernel.te > > > +++ b/policy/modules/kernel/kernel.te > > > @@ -474,6 +474,7 @@ optional_policy(` > > > > > > if( ! secure_mode_insmod ) { > > > allow can_load_kernmodule self:capability sys_module; > > > + allow can_load_kernmodule self:system module_load; > > > > > > files_load_kernel_modules(can_load_kernmodule) > > > > Merged. > > Hello. > > Sorry for my late reply... > > I believe this only applies to systemd. It doesnt. it applies to systems that have kernel modules compressed. > > So, is there any reason why it hasn't been enclosed in the appropriate > ifdef(init_systemd) ? > > Regards, > > Guido > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 659 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170810/4916011b/attachment.bin