selinux-refpolicy/policy/modules/system/modutils.fc

/bin/kmod		--	gen_context(system_u:object_r:kmod_exec_t,s0)

/etc/modules\.conf.*	--	gen_context(system_u:object_r:modules_conf_t,s0)
/etc/modprobe\.conf.*	--	gen_context(system_u:object_r:modules_conf_t,s0)
/etc/modprobe\.d(/.*)?		gen_context(system_u:object_r:modules_conf_t,s0)

ifdef(`distro_gentoo',`
# gentoo init scripts still manage this file
# even if devfs is off
/etc/modprobe.devfs.*	--	gen_context(system_u:object_r:modules_conf_t,s0)
')

/lib/modules/[^/]+/modules\..+ -- gen_context(system_u:object_r:modules_dep_t,s0)

/lib/modules/modprobe\.conf -- gen_context(system_u:object_r:modules_conf_t,s0)

/run/tmpfiles.d(/.*)?	gen_context(system_u:object_r:kmod_var_run_t,s0)

/sbin/depmod.*		--	gen_context(system_u:object_r:kmod_exec_t,s0)
/sbin/generate-modprobe\.conf -- gen_context(system_u:object_r:kmod_exec_t,s0)
/sbin/insmod.*		--	gen_context(system_u:object_r:kmod_exec_t,s0)
/sbin/modprobe.*	--	gen_context(system_u:object_r:kmod_exec_t,s0)
/sbin/modules-update	--	gen_context(system_u:object_r:kmod_exec_t,s0)
/sbin/rmmod.*		--	gen_context(system_u:object_r:kmod_exec_t,s0)
/sbin/update-modules	--	gen_context(system_u:object_r:kmod_exec_t,s0)

/usr/bin/kmod		--	gen_context(system_u:object_r:kmod_exec_t,s0)

/usr/lib/modules/[^/]+/modules\..+ -- gen_context(system_u:object_r:modules_dep_t,s0)
/usr/lib/modules/modprobe\.conf -- gen_context(system_u:object_r:modules_conf_t,s0)

/usr/sbin/depmod.*		--	gen_context(system_u:object_r:kmod_exec_t,s0)
/usr/sbin/generate-modprobe\.conf -- gen_context(system_u:object_r:kmod_exec_t,s0)
/usr/sbin/insmod.*		--	gen_context(system_u:object_r:kmod_exec_t,s0)
/usr/sbin/modprobe.*		--	gen_context(system_u:object_r:kmod_exec_t,s0)
/usr/sbin/modules-update	--	gen_context(system_u:object_r:kmod_exec_t,s0)
/usr/sbin/rmmod.*		--	gen_context(system_u:object_r:kmod_exec_t,s0)
/usr/sbin/update-modules	--	gen_context(system_u:object_r:kmod_exec_t,s0)
single binary modutils On Tuesday, 2 August 2016 7:59:28 PM AEDT Chris PeBenito wrote: > On 07/31/16 08:34, Russell Coker wrote: > > The following patch deals with a single binary for modutils, so depmod_t, > > and insmod_t are merged. > > Since the main SELinux distros (including RHEL/CentOS 7) all have merged > modutils these days, I'm open to taking a patch that fully merges these > domains (in which case renaming to kmod_t, with proper aliasing seems > the best idea). > > However, it's been some time since I used a busybox-based system; does > busybox still have separated tools? Yes, this is a bit of an obvious > question since busybox is also single-binary, but IIRC, the embedded > guys made some tiny helper scripts or executables so proper > transitioning could occur. Separate domains may still make sense. As we have had no response from Busybox users in the last 3 months and also no response to the thread Luis started in 2013 I think it's safe to assume that they don't need this. I've attached a new patch which renames to kmod_t as you suggested. Please consider it for inclusion. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/ Description: Change modutils policy to match the use of a single binary Author: Russell Coker <russell@coker.com.au> Last-Update: 2014-06-25 2016-10-21 08:35:53 +00:00			`/bin/kmod -- gen_context(system_u:object_r:kmod_exec_t,s0)`
initial commit 2005-05-10 19:51:00 +00:00
rename context_template() to gen_context() 2005-10-06 19:33:06 +00:00			`/etc/modules\.conf.* -- gen_context(system_u:object_r:modules_conf_t,s0)`
			`/etc/modprobe\.conf.* -- gen_context(system_u:object_r:modules_conf_t,s0)`
Iptables and modutils patches from Dan Walsh. 2009-12-01 14:23:11 +00:00			`/etc/modprobe\.d(/.*)? gen_context(system_u:object_r:modules_conf_t,s0)`
initial commit 2005-05-10 19:51:00 +00:00
testing fixes 2006-08-18 18:20:22 +00:00			ifdef(`distro_gentoo',`
			`# gentoo init scripts still manage this file`
			`# even if devfs is off`
			`/etc/modprobe.devfs.* -- gen_context(system_u:object_r:modules_conf_t,s0)`
			`')`

second part of dans patch Fri, 14 Apr 2006 08:08:43 -0400 2006-04-17 17:54:57 +00:00			`/lib/modules/[^/]+/modules\..+ -- gen_context(system_u:object_r:modules_dep_t,s0)`
initial commit 2005-05-10 19:51:00 +00:00
second part of dans patch Fri, 14 Apr 2006 08:08:43 -0400 2006-04-17 17:54:57 +00:00			`/lib/modules/modprobe\.conf -- gen_context(system_u:object_r:modules_conf_t,s0)`
initial commit 2005-05-10 19:51:00 +00:00
Add file contexts in /usr for /bin, /usr/sbin and /usr/lib Some policy modules define file contexts in /bin, /sbin and /lib without defining similar file contexts in the same directory under /usr. Add these missing file contexts when there are outside ifdef blocks. 2016-12-27 16:06:54 +00:00			`/run/tmpfiles.d(/.*)? gen_context(system_u:object_r:kmod_var_run_t,s0)`

single binary modutils On Tuesday, 2 August 2016 7:59:28 PM AEDT Chris PeBenito wrote: > On 07/31/16 08:34, Russell Coker wrote: > > The following patch deals with a single binary for modutils, so depmod_t, > > and insmod_t are merged. > > Since the main SELinux distros (including RHEL/CentOS 7) all have merged > modutils these days, I'm open to taking a patch that fully merges these > domains (in which case renaming to kmod_t, with proper aliasing seems > the best idea). > > However, it's been some time since I used a busybox-based system; does > busybox still have separated tools? Yes, this is a bit of an obvious > question since busybox is also single-binary, but IIRC, the embedded > guys made some tiny helper scripts or executables so proper > transitioning could occur. Separate domains may still make sense. As we have had no response from Busybox users in the last 3 months and also no response to the thread Luis started in 2013 I think it's safe to assume that they don't need this. I've attached a new patch which renames to kmod_t as you suggested. Please consider it for inclusion. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/ Description: Change modutils policy to match the use of a single binary Author: Russell Coker <russell@coker.com.au> Last-Update: 2014-06-25 2016-10-21 08:35:53 +00:00			`/sbin/depmod.* -- gen_context(system_u:object_r:kmod_exec_t,s0)`
			`/sbin/generate-modprobe\.conf -- gen_context(system_u:object_r:kmod_exec_t,s0)`
			`/sbin/insmod.* -- gen_context(system_u:object_r:kmod_exec_t,s0)`
			`/sbin/modprobe.* -- gen_context(system_u:object_r:kmod_exec_t,s0)`
			`/sbin/modules-update -- gen_context(system_u:object_r:kmod_exec_t,s0)`
			`/sbin/rmmod.* -- gen_context(system_u:object_r:kmod_exec_t,s0)`
			`/sbin/update-modules -- gen_context(system_u:object_r:kmod_exec_t,s0)`
Add insmod_exec_t label for kmod executable lsmod, rmmod, insmod, modinfo, modprobe and depmod are now symlinks to the kmod executable 2012-09-13 11:44:35 +00:00
single binary modutils On Tuesday, 2 August 2016 7:59:28 PM AEDT Chris PeBenito wrote: > On 07/31/16 08:34, Russell Coker wrote: > > The following patch deals with a single binary for modutils, so depmod_t, > > and insmod_t are merged. > > Since the main SELinux distros (including RHEL/CentOS 7) all have merged > modutils these days, I'm open to taking a patch that fully merges these > domains (in which case renaming to kmod_t, with proper aliasing seems > the best idea). > > However, it's been some time since I used a busybox-based system; does > busybox still have separated tools? Yes, this is a bit of an obvious > question since busybox is also single-binary, but IIRC, the embedded > guys made some tiny helper scripts or executables so proper > transitioning could occur. Separate domains may still make sense. As we have had no response from Busybox users in the last 3 months and also no response to the thread Luis started in 2013 I think it's safe to assume that they don't need this. I've attached a new patch which renames to kmod_t as you suggested. Please consider it for inclusion. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/ Description: Change modutils policy to match the use of a single binary Author: Russell Coker <russell@coker.com.au> Last-Update: 2014-06-25 2016-10-21 08:35:53 +00:00			`/usr/bin/kmod -- gen_context(system_u:object_r:kmod_exec_t,s0)`
Add file contexts in /usr for /bin, /usr/sbin and /usr/lib Some policy modules define file contexts in /bin, /sbin and /lib without defining similar file contexts in the same directory under /usr. Add these missing file contexts when there are outside ifdef blocks. 2016-12-27 16:06:54 +00:00
			`/usr/lib/modules/[^/]+/modules\..+ -- gen_context(system_u:object_r:modules_dep_t,s0)`
			`/usr/lib/modules/modprobe\.conf -- gen_context(system_u:object_r:modules_conf_t,s0)`

			`/usr/sbin/depmod.* -- gen_context(system_u:object_r:kmod_exec_t,s0)`
			`/usr/sbin/generate-modprobe\.conf -- gen_context(system_u:object_r:kmod_exec_t,s0)`
			`/usr/sbin/insmod.* -- gen_context(system_u:object_r:kmod_exec_t,s0)`
			`/usr/sbin/modprobe.* -- gen_context(system_u:object_r:kmod_exec_t,s0)`
			`/usr/sbin/modules-update -- gen_context(system_u:object_r:kmod_exec_t,s0)`
			`/usr/sbin/rmmod.* -- gen_context(system_u:object_r:kmod_exec_t,s0)`
			`/usr/sbin/update-modules -- gen_context(system_u:object_r:kmod_exec_t,s0)`