RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

modutils: allow depmod to read /boot/System.map 

On a Debian system, when installing a package which provides a kernel
module with DKMS, the module is compiled and depmod is executed with a
command line that looks like:

    depmod -a 4.19.0-5-amd64 -F /boot/System.map-4.19.0-5-amd64

This obviously requires depmod to read System.map. Otherwise, the
following events are logged to audit.log:

    type=AVC msg=audit(1567802614.408:138551): avc:  denied  { search }
    for  pid=12090 comm="depmod" name="boot" dev="vda1" ino=262145
    scontext=sysadm_u:sysadm_r:kmod_t tcontext=system_u:object_r:boot_t
    tclass=dir permissive=0

    type=AVC msg=audit(1567802670.132:138555): avc:  denied  { read }
    for  pid=14210 comm="depmod" name="System.map-4.19.0-5-amd64"
    dev="vda1" ino=262148 scontext=sysadm_u:sysadm_r:kmod_t
    tcontext=system_u:object_r:system_map_t tclass=file permissive=1

    type=AVC msg=audit(1567802670.132:138555): avc:  denied  { open }
    for  pid=14210 comm="depmod" path="/boot/System.map-4.19.0-5-amd64"
    dev="vda1" ino=262148 scontext=sysadm_u:sysadm_r:kmod_t
    tcontext=system_u:object_r:system_map_t tclass=file permissive=1

    type=AVC msg=audit(1567802670.136:138556): avc:  denied  { getattr }
    for  pid=14210 comm="depmod" path="/boot/System.map-4.19.0-5-amd64"
    dev="vda1" ino=262148 scontext=sysadm_u:sysadm_r:kmod_t
    tcontext=system_u:object_r:system_map_t tclass=file permissive=1

and depmod fails, which makes apt fails with:

    wireguard.ko:
    Running module version sanity check.
     - Original module
       - No original module exists within this kernel
     - Installation
       - Installing to /lib/modules/4.19.0-5-amd64/updates/dkms/

    depmod...(bad exit status: 1)

    [...]

    Error! Problems with depmod detected.  Automatically uninstalling
    this module.
    DKMS: Install Failed (depmod problems).  Module rolled back to built
    state.
    dpkg: error processing package wireguard-dkms (--configure):
     installed wireguard-dkms package post-installation script
    subprocess returned error exit status 6

    [...]

    Errors were encountered while processing:
     wireguard-dkms
    E: Sub-process /usr/bin/dpkg returned an error code (1)

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
This commit is contained in:
Nicolas Iooss 2019-09-06 23:03:19 +02:00
parent 51c4812c23
commit b3119f1d17
No known key found for this signature in database
GPG Key ID: C191415F340DAAA0
1 changed files with 1 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
policy/modules/system/modutils.te
View File

@ -90,6 +90,7 @@ domain_signal_all_domains(kmod_t)
domain_use_interactive_fds(kmod_t) domain_use_interactive_fds(kmod_t)
files_read_kernel_modules(kmod_t) files_read_kernel_modules(kmod_t)
files_read_kernel_symbol_table(kmod_t)
files_read_etc_runtime_files(kmod_t) files_read_etc_runtime_files(kmod_t)
files_read_etc_files(kmod_t) files_read_etc_files(kmod_t)
files_read_usr_files(kmod_t) files_read_usr_files(kmod_t)