[refpolicy] modules_object_t vs. modules_dep_t labeling

[dwalsh@redhat.com (Daniel J Walsh)]

On 10/10/2015 03:17 AM, Sven Vermeulen wrote:
> On Thu, Oct 8, 2015 at 3:15 PM, Christopher J. PeBenito
> <cpebenito@tresys.com> wrote:
>>> In Fedora, we removed all these transitions for modules_dep_t labeling
>>> and we go only with modules_object_t. If it works I can post patches.
>> In an ideal world, the two types would still work fine, as we don't want
>> insmod to have the permissions for writing kernel modules.  However, now
>> that depmod, insmod, etc. are all merged into a single binary, this
>> complicates things, since the policy doesn't necessarily know with
>> absolute certainty which tool kmod is acting as.  Additionally, if kmod
>> is malfunctioning, it doesn't matter so much if it can write kernel
>> modules, since it can simply generate a kernel module in memory and
>> insert it (or load a module into memory from disk, alter it, and then
>> insert it).
>>
>> I guess that's my long-winded way of saying I'm on the fence but leaning
>> towards merging the types.  In fact, it might make sense to simply make
>> a new kmod_t domain that aliases the old insmod and depmod domains,
>> entrypoints, etc.
>>
>> Does the Gentoo team have any opinion?
> We've had our share of kmod and mislabeling issues too. I'm in favour
> of merging the types as that would make it considerably easier to
> handle (now and in the future).
>
> Wkr,
>   Sven Vermeulen
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
This separation on types from a security difference has never made much
of a difference and has
caused mislabeling issues for years.  I believe you should merge the types.