[refpolicy] kmod - Christopher J. PeBenito

All of lore.kernel.org
 help / color / mirror / Atom feed

From: cpebenito@tresys.com (Christopher J. PeBenito)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] kmod
Date: Wed, 13 Nov 2013 09:45:14 -0500	[thread overview]
Message-ID: <5283907A.5020902@tresys.com> (raw)
In-Reply-To: <20131109143209.2fe65eb6@gentp.lnet>

On 11/09/13 08:32, Luis Ressel wrote:
> I'm experiencing a problem with the kernel's "make modules_install".
> The old modutils had different binaries for modprobe, lsmod, depmod
> etc, but its successor kmod only has one multi-call binary with several
> symlinks to it.
> 
> The system/modutils part of refpolicy has two separate application
> domains, insmod_t (for the various module-loading commands) and
> depmod_t (for depmod, invoked only during compilation). Only the latter
> is allowed to write module_dep_t files.
> 
> But when using kmod, /sbin/depmod is only a symlink to /bin/kmod.
> Therefore it runs in the insmod_t domain and isn't allowed to write
> module_dep_t files.
> 
> I see three possible solutions:
> 1) Unify the insmod_t and depmod_t domains (problem: weakens protection)
> 2) Patch kmod to be selinux-aware and choose the appropriate domain
>     (problems: also requires policy changes, upstream might be
>     uninterested in including the patches)
> 3) Make /sbin/depmod a wrapper instead of a symlink.

I think the answer is either 1 or 3.  I highly doubt that 2 would be acceptable to kmod upstream.  It also requires some appconfig files to tell what domain corresponds to the insmod/depmod/etc functions.  Doing 3 would depend on distros doing it, so unless that happens, 1 is the the only choice.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

next prev parent reply	other threads:[~2013-11-13 14:45 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-11-09 13:32 [refpolicy] kmod Luis Ressel
2013-11-09 13:52 ` Luis Ressel
2013-11-09 14:01   ` Luis Ressel
2013-11-13 14:45 ` Christopher J. PeBenito [this message]
2013-11-13 16:27   ` Luis Ressel
2014-02-18 18:13     ` Luis Ressel

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=5283907A.5020902@tresys.com \
    --to=cpebenito@tresys.com \
    --cc=refpolicy@oss.tresys.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.