policy_module(modutils, 1.22.0) ######################################## # # Declarations # attribute_role kmod_roles; type kmod_t; type kmod_exec_t; application_domain(kmod_t, kmod_exec_t) kernel_domtrans_to(kmod_t, kmod_exec_t) mls_file_write_all_levels(kmod_t) roleattribute system_r kmod_roles; role kmod_roles types kmod_t; # module loading config type modules_conf_t; files_type(modules_conf_t) # module dependencies type modules_dep_t; files_type(modules_dep_t) ifdef(`init_systemd',` type kmod_tmpfiles_conf_t; systemd_tmpfiles_conf_file(kmod_tmpfiles_conf_t) systemd_tmpfiles_conf_filetrans(kmod_t, kmod_tmpfiles_conf_t, file) ') ######################################## # # insmod local policy # allow kmod_t self:capability { dac_override net_raw sys_nice sys_tty_config }; allow kmod_t self:process { execmem sigchld sigkill sigstop signull signal }; # for the radeon/amdgpu modules dontaudit kmod_t self:capability sys_admin; allow kmod_t self:udp_socket create_socket_perms; allow kmod_t self:rawip_socket create_socket_perms; # Read module config and dependency information list_dirs_pattern(kmod_t, modules_conf_t, modules_conf_t) read_files_pattern(kmod_t, modules_conf_t, modules_conf_t) list_dirs_pattern(kmod_t, modules_dep_t, modules_dep_t) manage_files_pattern(kmod_t, modules_dep_t, modules_dep_t) allow kmod_t modules_dep_t:file map; filetrans_add_pattern(kmod_t, modules_object_t, modules_dep_t, file) create_files_pattern(kmod_t, modules_object_t, modules_dep_t) delete_files_pattern(kmod_t, modules_object_t, modules_dep_t) allow kmod_t modules_object_t:file map; can_exec(kmod_t, kmod_exec_t) kernel_load_module(kmod_t) kernel_request_load_module(kmod_t) kernel_read_crypto_sysctls(kmod_t) kernel_read_system_state(kmod_t) kernel_read_network_state(kmod_t) kernel_write_proc_files(kmod_t) kernel_mount_debugfs(kmod_t) kernel_mount_kvmfs(kmod_t) kernel_read_debugfs(kmod_t) kernel_search_key(kmod_t) # Rules for /proc/sys/kernel/tainted kernel_read_kernel_sysctls(kmod_t) kernel_rw_kernel_sysctl(kmod_t) kernel_read_hotplug_sysctls(kmod_t) kernel_setsched(kmod_t) # for when /var is not mounted early in the boot: kernel_dontaudit_search_unlabeled(kmod_t) corecmd_exec_bin(kmod_t) corecmd_exec_shell(kmod_t) dev_rw_sysfs(kmod_t) dev_search_usbfs(kmod_t) dev_rw_mtrr(kmod_t) dev_read_urand(kmod_t) dev_rw_agp(kmod_t) dev_read_sound(kmod_t) dev_write_sound(kmod_t) dev_rw_acpi_bios(kmod_t) domain_signal_all_domains(kmod_t) domain_use_interactive_fds(kmod_t) files_read_kernel_modules(kmod_t) files_read_kernel_symbol_table(kmod_t) files_read_etc_runtime_files(kmod_t) files_read_etc_files(kmod_t) files_read_usr_files(kmod_t) files_exec_etc_files(kmod_t) files_search_tmp(kmod_t) # for nscd: files_dontaudit_search_pids(kmod_t) # to manage modules.dep files_manage_kernel_modules(kmod_t) fs_getattr_xattr_fs(kmod_t) fs_dontaudit_use_tmpfs_chr_dev(kmod_t) fs_search_tracefs(kmod_t) init_rw_initctl(kmod_t) init_use_fds(kmod_t) init_use_script_fds(kmod_t) init_use_script_ptys(kmod_t) logging_send_syslog_msg(kmod_t) logging_search_logs(kmod_t) miscfiles_read_localization(kmod_t) seutil_read_file_contexts(kmod_t) userdom_use_user_terminals(kmod_t) userdom_dontaudit_search_user_home_dirs(kmod_t) ifdef(`init_systemd',` # for /run/tmpfiles.d/kmod.conf allow kmod_t kmod_tmpfiles_conf_t:file manage_file_perms; # kmod needs to create /run/tmpdiles.d systemd_tmpfiles_creator(kmod_t) init_rw_stream_sockets(kmod_t) ') optional_policy(` alsa_domtrans(kmod_t) ') optional_policy(` apt_use_fds(kmod_t) apt_use_ptys(kmod_t) ') optional_policy(` # for postinst of a new kernel package dpkg_manage_script_tmp_files(kmod_t) dpkg_map_script_tmp_files(kmod_t) dpkg_read_script_tmp_symlinks(kmod_t) ') optional_policy(` firstboot_dontaudit_rw_pipes(kmod_t) firstboot_dontaudit_rw_stream_sockets(kmod_t) ') optional_policy(` hal_write_log(kmod_t) ') optional_policy(` hotplug_search_config(kmod_t) ') optional_policy(` iptables_dontaudit_read_pids(kmod_t) ') optional_policy(` mount_domtrans(kmod_t) ') optional_policy(` nis_use_ypbind(kmod_t) ') optional_policy(` nscd_use(kmod_t) ') optional_policy(` fs_manage_ramfs_files(kmod_t) rhgb_use_fds(kmod_t) rhgb_dontaudit_use_ptys(kmod_t) xserver_dontaudit_write_log(kmod_t) xserver_stream_connect(kmod_t) xserver_dontaudit_rw_stream_sockets(kmod_t) ') optional_policy(` rpm_rw_pipes(kmod_t) ') optional_policy(` # cjp: why is this needed: dev_rw_xserver_misc(kmod_t) xserver_getattr_log(kmod_t) ')