From: guido@trentalancia.com (Guido Trentalancia) Date: Thu, 10 Aug 2017 19:30:11 +0200 Subject: [refpolicy] [PATCH v2 1/1] Add module_load permission to self when loading modules is allowed In-Reply-To: <20170810151142.GA29463@julius.enp8s0.d30> References: <20170808065956.10200-1-nicolas.iooss@m4x.org> <142b7928-8d41-f552-a471-73cb2707832a@ieee.org> <1502384990.5184.2.camel@trentalancia.com> <20170810151142.GA29463@julius.enp8s0.d30> Message-ID: <1502386211.5184.4.camel@trentalancia.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hello and thanks for getting back. On Thu, 10/08/2017 at 17.11 +0200, Dominick Grift via refpolicy wrote: > On Thu, Aug 10, 2017 at 07:09:50PM +0200, Guido Trentalancia via > refpolicy wrote: > > On Tue, 08/08/2017 at 20.03 -0400, Chris PeBenito via > > refpolicy wrote: > > > On 08/08/2017 02:59 AM, Nicolas Iooss via refpolicy wrote: > > > > When a program uses init_module() to load a module, the kernel > > > > checks > > > > for system:load_module permission in the process type [1]. > > > > For example when systemd loads ip_tables modules (since > > > > https://github.com/systemd/systemd/commit/1d3087978a8ee23107cb6 > > > > 4aa5 > > > > 5ca97aefe9531e2), > > > > the following AVC denial gets reported: > > > > > > > > avc: denied { module_load } for pid=1 comm="systemd" > > > > scontext=system_u:system_r:init_t > > > > tcontext=system_u:system_r:init_t > > > > tclass=system permissive=1 > > > > > > > > [1] The relevant kernel code is > > > > selinux_kernel_module_from_file() > > > > in > > > > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux. > > > > git/ > > > > tree/security/selinux/hooks.c?h=v4.11#n3836 > > > > > > > > /* init_module */ > > > > if (file == NULL) > > > > return avc_has_perm(sid, sid, SECCLASS_SYSTEM, > > > > SYSTEM__MODULE_LOAD, NULL); > > > > > > > > In this code, both source and target SIDs are current_sid(). > > > > --- > > > > policy/modules/kernel/kernel.te | 1 + > > > > 1 file changed, 1 insertion(+) > > > > > > > > diff --git a/policy/modules/kernel/kernel.te > > > > b/policy/modules/kernel/kernel.te > > > > index 424a4b511262..e2d3073b4260 100644 > > > > --- a/policy/modules/kernel/kernel.te > > > > +++ b/policy/modules/kernel/kernel.te > > > > @@ -474,6 +474,7 @@ optional_policy(` > > > > > > > > if( ! secure_mode_insmod ) { > > > > allow can_load_kernmodule self:capability sys_module; > > > > + allow can_load_kernmodule self:system module_load; > > > > > > > > files_load_kernel_modules(can_load_kernmodule) > > > > > > Merged. > > > > Hello. > > > > Sorry for my late reply... > > > > I believe this only applies to systemd. > > It doesnt. it applies to systems that have kernel modules compressed. Confirmed. > > So, is there any reason why it hasn't been enclosed in the > > appropriate > > ifdef(init_systemd) ? Regards, Guido