[refpolicy] [PATCH 1/1] Add module_load permission to self when using files_load_kernel_modules

Nicolas Iooss nicolas.iooss at m4x.org
Mon Jul 10 20:23:39 UTC 2017


When a program uses init_module() to load a module, the kernel checks
for system:load_module permission in the process type [1].
For example when systemd loads ip_tables modules (since
https://github.com/systemd/systemd/commit/1d3087978a8ee23107cb64aa55ca97aefe9531e2),
the following AVC denial gets reported:

    avc:  denied  { module_load } for  pid=1 comm="systemd"
    scontext=system_u:system_r:init_t tcontext=system_u:system_r:init_t
    tclass=system permissive=1

[1] The relevant kernel code is selinux_kernel_module_from_file() in
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/security/selinux/hooks.c?h=v4.11#n3836

    /* init_module */
    if (file == NULL)
        return avc_has_perm(sid, sid, SECCLASS_SYSTEM,
                    SYSTEM__MODULE_LOAD, NULL);

In this code, both source and target SIDs are current_sid().
---
 policy/modules/kernel/files.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index ac5714fd439c..593a9bb981cd 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -4431,7 +4431,7 @@ interface(`files_load_kernel_modules',`
 	')
 
 	files_read_kernel_modules($1)
-	allow $1 modules_object_t:system module_load;
+	allow $1 { $1 modules_object_t }:system module_load;
 ')
 
 ########################################
-- 
2.13.2



More information about the refpolicy mailing list