selinux-refpolicy/policy/modules/system/modutils.te

199 lines
4.4 KiB
Plaintext
Raw Normal View History

policy_module(modutils, 1.22.0)
2005-11-29 21:27:15 +00:00
2005-05-11 15:46:51 +00:00
########################################
#
# Declarations
#
attribute_role kmod_roles;
type kmod_t;
type kmod_exec_t;
application_domain(kmod_t, kmod_exec_t)
2016-12-07 01:01:22 +00:00
kernel_domtrans_to(kmod_t, kmod_exec_t)
mls_file_write_all_levels(kmod_t)
roleattribute system_r kmod_roles;
role kmod_roles types kmod_t;
2005-04-14 20:18:17 +00:00
2009-08-05 14:11:08 +00:00
# module loading config
type modules_conf_t;
files_type(modules_conf_t)
# module dependencies
type modules_dep_t;
files_type(modules_dep_t)
ifdef(`init_systemd',`
type kmod_tmpfiles_conf_t;
systemd_tmpfiles_conf_file(kmod_tmpfiles_conf_t)
systemd_tmpfiles_conf_filetrans(kmod_t, kmod_tmpfiles_conf_t, file)
')
2009-08-05 14:11:08 +00:00
########################################
#
# insmod local policy
#
allow kmod_t self:capability { dac_override net_raw sys_nice sys_tty_config };
allow kmod_t self:process { execmem sigchld sigkill sigstop signull signal };
# for the radeon/amdgpu modules
dontaudit kmod_t self:capability sys_admin;
allow kmod_t self:udp_socket create_socket_perms;
allow kmod_t self:rawip_socket create_socket_perms;
2005-05-11 15:22:28 +00:00
# Read module config and dependency information
list_dirs_pattern(kmod_t, modules_conf_t, modules_conf_t)
read_files_pattern(kmod_t, modules_conf_t, modules_conf_t)
list_dirs_pattern(kmod_t, modules_dep_t, modules_dep_t)
manage_files_pattern(kmod_t, modules_dep_t, modules_dep_t)
allow kmod_t modules_dep_t:file map;
filetrans_add_pattern(kmod_t, modules_object_t, modules_dep_t, file)
create_files_pattern(kmod_t, modules_object_t, modules_dep_t)
delete_files_pattern(kmod_t, modules_object_t, modules_dep_t)
allow kmod_t modules_object_t:file map;
can_exec(kmod_t, kmod_exec_t)
kernel_load_module(kmod_t)
kernel_request_load_module(kmod_t)
kernel_read_crypto_sysctls(kmod_t)
kernel_read_system_state(kmod_t)
kernel_read_network_state(kmod_t)
kernel_write_proc_files(kmod_t)
kernel_mount_debugfs(kmod_t)
kernel_mount_kvmfs(kmod_t)
kernel_read_debugfs(kmod_t)
2016-12-07 01:01:22 +00:00
kernel_search_key(kmod_t)
2005-04-14 20:18:17 +00:00
# Rules for /proc/sys/kernel/tainted
kernel_read_kernel_sysctls(kmod_t)
kernel_rw_kernel_sysctl(kmod_t)
kernel_read_hotplug_sysctls(kmod_t)
kernel_setsched(kmod_t)
# for when /var is not mounted early in the boot:
kernel_dontaudit_search_unlabeled(kmod_t)
corecmd_exec_bin(kmod_t)
corecmd_exec_shell(kmod_t)
dev_rw_sysfs(kmod_t)
dev_search_usbfs(kmod_t)
dev_rw_mtrr(kmod_t)
dev_read_urand(kmod_t)
dev_rw_agp(kmod_t)
dev_read_sound(kmod_t)
dev_write_sound(kmod_t)
dev_rw_acpi_bios(kmod_t)
domain_signal_all_domains(kmod_t)
domain_use_interactive_fds(kmod_t)
files_read_kernel_modules(kmod_t)
modutils: allow depmod to read /boot/System.map On a Debian system, when installing a package which provides a kernel module with DKMS, the module is compiled and depmod is executed with a command line that looks like: depmod -a 4.19.0-5-amd64 -F /boot/System.map-4.19.0-5-amd64 This obviously requires depmod to read System.map. Otherwise, the following events are logged to audit.log: type=AVC msg=audit(1567802614.408:138551): avc: denied { search } for pid=12090 comm="depmod" name="boot" dev="vda1" ino=262145 scontext=sysadm_u:sysadm_r:kmod_t tcontext=system_u:object_r:boot_t tclass=dir permissive=0 type=AVC msg=audit(1567802670.132:138555): avc: denied { read } for pid=14210 comm="depmod" name="System.map-4.19.0-5-amd64" dev="vda1" ino=262148 scontext=sysadm_u:sysadm_r:kmod_t tcontext=system_u:object_r:system_map_t tclass=file permissive=1 type=AVC msg=audit(1567802670.132:138555): avc: denied { open } for pid=14210 comm="depmod" path="/boot/System.map-4.19.0-5-amd64" dev="vda1" ino=262148 scontext=sysadm_u:sysadm_r:kmod_t tcontext=system_u:object_r:system_map_t tclass=file permissive=1 type=AVC msg=audit(1567802670.136:138556): avc: denied { getattr } for pid=14210 comm="depmod" path="/boot/System.map-4.19.0-5-amd64" dev="vda1" ino=262148 scontext=sysadm_u:sysadm_r:kmod_t tcontext=system_u:object_r:system_map_t tclass=file permissive=1 and depmod fails, which makes apt fails with: wireguard.ko: Running module version sanity check. - Original module - No original module exists within this kernel - Installation - Installing to /lib/modules/4.19.0-5-amd64/updates/dkms/ depmod...(bad exit status: 1) [...] Error! Problems with depmod detected. Automatically uninstalling this module. DKMS: Install Failed (depmod problems). Module rolled back to built state. dpkg: error processing package wireguard-dkms (--configure): installed wireguard-dkms package post-installation script subprocess returned error exit status 6 [...] Errors were encountered while processing: wireguard-dkms E: Sub-process /usr/bin/dpkg returned an error code (1) Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-06 21:03:19 +00:00
files_read_kernel_symbol_table(kmod_t)
files_read_etc_runtime_files(kmod_t)
files_read_etc_files(kmod_t)
files_read_usr_files(kmod_t)
files_exec_etc_files(kmod_t)
files_search_tmp(kmod_t)
# for nscd:
files_dontaudit_search_pids(kmod_t)
# to manage modules.dep
files_manage_kernel_modules(kmod_t)
2009-08-05 14:11:08 +00:00
fs_getattr_xattr_fs(kmod_t)
fs_dontaudit_use_tmpfs_chr_dev(kmod_t)
fs_search_tracefs(kmod_t)
2005-04-14 20:18:17 +00:00
init_rw_initctl(kmod_t)
init_use_fds(kmod_t)
init_use_script_fds(kmod_t)
init_use_script_ptys(kmod_t)
2005-05-03 20:44:35 +00:00
logging_send_syslog_msg(kmod_t)
logging_search_logs(kmod_t)
2005-04-14 20:18:17 +00:00
miscfiles_read_localization(kmod_t)
2005-04-14 20:18:17 +00:00
seutil_read_file_contexts(kmod_t)
userdom_use_user_terminals(kmod_t)
2008-11-05 16:10:46 +00:00
userdom_dontaudit_search_user_home_dirs(kmod_t)
2008-02-05 18:24:43 +00:00
ifdef(`init_systemd',`
# for /run/tmpfiles.d/kmod.conf
allow kmod_t kmod_tmpfiles_conf_t:file manage_file_perms;
# kmod needs to create /run/tmpdiles.d
systemd_tmpfiles_creator(kmod_t)
init_rw_stream_sockets(kmod_t)
')
optional_policy(`
alsa_domtrans(kmod_t)
')
optional_policy(`
apt_use_fds(kmod_t)
apt_use_ptys(kmod_t)
')
optional_policy(`
2018-02-15 22:10:34 +00:00
# for postinst of a new kernel package
dpkg_manage_script_tmp_files(kmod_t)
2018-02-15 22:10:34 +00:00
dpkg_map_script_tmp_files(kmod_t)
dpkg_read_script_tmp_symlinks(kmod_t)
')
optional_policy(`
firstboot_dontaudit_rw_pipes(kmod_t)
firstboot_dontaudit_rw_stream_sockets(kmod_t)
')
optional_policy(`
hal_write_log(kmod_t)
')
optional_policy(`
hotplug_search_config(kmod_t)
2005-09-15 21:03:29 +00:00
')
optional_policy(`
iptables_dontaudit_read_pids(kmod_t)
')
optional_policy(`
mount_domtrans(kmod_t)
')
2005-04-14 20:18:17 +00:00
optional_policy(`
nis_use_ypbind(kmod_t)
')
optional_policy(`
nscd_use(kmod_t)
2005-09-15 21:03:29 +00:00
')
optional_policy(`
fs_manage_ramfs_files(kmod_t)
2006-03-09 19:02:29 +00:00
rhgb_use_fds(kmod_t)
rhgb_dontaudit_use_ptys(kmod_t)
xserver_dontaudit_write_log(kmod_t)
xserver_stream_connect(kmod_t)
xserver_dontaudit_rw_stream_sockets(kmod_t)
2006-03-09 19:02:29 +00:00
')
optional_policy(`
rpm_rw_pipes(kmod_t)
2005-07-12 20:34:24 +00:00
')
optional_policy(`
2006-04-03 19:49:47 +00:00
# cjp: why is this needed:
dev_rw_xserver_misc(kmod_t)
2006-04-03 19:49:47 +00:00
xserver_getattr_log(kmod_t)
2005-09-16 21:20:37 +00:00
')
2005-04-14 20:18:17 +00:00