nnd/selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

modutils: allow depmod and modprobe to use the I/O provided by apt

Browse Source 
On Debian, when installing a package which provides a kernel module with
DKMS, depmod and modprobe are invoked using a dedicated pseudo-tty:

    type=AVC msg=audit(1567803320.004:138586): avc:  denied  { read
    write } for  pid=19269 comm="depmod" path="/dev/pts/2" dev="devpts"
    ino=5 scontext=sysadm_u:sysadm_r:kmod_t
    tcontext=sysadm_u:object_r:apt_devpts_t tclass=chr_file
    permissive=1

    type=AVC msg=audit(1567803320.664:138589): avc:  denied  { use } for
    pid=19276 comm="modprobe" path="/dev/pts/2" dev="devpts" ino=5
    scontext=sysadm_u:sysadm_r:kmod_t tcontext=sysadm_u:sysadm_r:apt_t
    tclass=fd permissive=1

    type=AVC msg=audit(1567803320.664:138589): avc:  denied  { append }
    for  pid=19276 comm="modprobe" path="/dev/pts/2" dev="devpts" ino=5
    scontext=sysadm_u:sysadm_r:kmod_t
    tcontext=sysadm_u:object_r:apt_devpts_t tclass=chr_file
    permissive=1

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
This commit is contained in:
Nicolas Iooss 2019-09-06 23:08:24 +02:00
parent b3119f1d17
commit b4377dfd67
No known key found for this signature in database
GPG Key ID: C191415F340DAAA0
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
policy/modules/system/modutils.te
View File

@ -134,6 +134,11 @@ optional_policy(`
alsa_domtrans(kmod_t)
')
optional_policy(`
apt_use_fds(kmod_t)
apt_use_ptys(kmod_t)
')
optional_policy(`
# for postinst of a new kernel package
dpkg_manage_script_tmp_files(kmod_t)