From mboxrd@z Thu Jan 1 00:00:00 1970 From: dac.override@gmail.com (Dominick Grift) Date: Tue, 6 Oct 2015 13:29:15 +0200 Subject: [refpolicy] modules_object_t vs. modules_dep_t labeling In-Reply-To: <5612CCDC.3020900@tresys.com> References: <560D03C1.9060102@redhat.com> <20151005163442.GB21879@x250> <5612CCDC.3020900@tresys.com> Message-ID: <20151006112913.GB27034@x250> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Mon, Oct 05, 2015 at 03:17:48PM -0400, Christopher J. PeBenito wrote: > On 10/5/2015 12:34 PM, Dominick Grift wrote: > > On Thu, Oct 01, 2015 at 11:58:25AM +0200, Miroslav Grepl wrote: > >> We have more and more bugs with mislabeled /lib/modules/*/modules.dep* > >> files. There is a default label for them - modules_dep_t but we get them > >> labeled as modules_object_t. Yes, we can add filename transition rules > >> and also find a reason why they get wrong labeling (in progress). > > > >> But is there a big advantage to have these two labels. At least I don't > >> see it from the policy point of view (sesearch). > > > >> Thank you. > > > > > > Still not verified but: > > > > /sbin/depmod is a link to /bin/kmod > > > > So i suspect /bin/kmod now creates the modules_dep files via rpm_script_t %post and > > the /sbin/new_kernel_pkg shell script: > > > > doDepmod() { > > [ -n "$verbose" ] && echo "running depmod for $version" > > depmod -ae -F /boot/System.map-$version $version > > } > > > > but because insmod_t is lacking the appropriate auto object type transitions and because insmod is > > unconfined, the files get created with the wrong label. > > > > So you should copy the auto object type transition rules for modules_dep > > from depmod to insmod i suspect > > > > I would not want insmod_t to be able to mess with module_object_t type > > files. > > > > But yes, in Fedora insmod is unconfined... > > Thanks for digging through this issue. For the time being, we'll keep > what we have. Miroslav, if the type transition Dominick suggests works, > then we can put it in refpolicy. > I have confirmed that the above applies, and have it implemented now in my personal policy. If one ensures that /bin/kmod is labeled with the insmod_exec_t type and if one ensures that insmod_t creates files in modules_object_t type directories with a auto object type transition from modules_object_t to modules_dep_t then the module dep files should get labeled properly (there should be no real need for name-base auto object type transitions) if you do use name-based auto object type transitions then make sure you at least add name modules.dep.tmp (it renames it later to modules.dep) - -- 02DFF788 4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788 https://sks-keyservers.net/pks/lookup?op=get&search=0x314883A202DFF788 Dominick Grift -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQGcBAEBCgAGBQJWE7CFAAoJENAR6kfG5xmcfdEL/RDkMQLPU2DBuW4aJNrV83qM hQqvvBGK854VOinPlYCgEwrNbWLfFBWvjgat4ZfCO6RQ39+wj17VBdG6LauhLWBZ r3YNI1YtR18tZCgloU76DWOJ11BTkLEi9CTZ19P11V0b31+qZS8KBX78QIHGctpQ x42seOEdtwQso/qPWeVoFCSBlLFU2cl8/iiw+96j/gwt+vUe82bEkEFCW7/mhQWt RkPzDfb+giXRaftIjntb1XS5qCsD4EncfKw5NtZ8xlPqPY40Ez3QxmdG5rldC7XJ pAlI8+pXDETUzQvsABaKVAigpTARGZ0lsivhYhVZa6MJyO1qhn6xGG2c5xZL/Xtv JUOdZjOMsJHeILZlNutZlf8KdlOEmmzplpwILzwvFcsTCluhEVHOQEJP/wBgojgY yT+pzB6qA7p7D1JfHa7YMetirs2nj3N+O0BFsib+ZJrXfn9h7ZHQjRtR/dnv8sWp mZGyOml72tEHQRTC155LMVg0Z3scF/jq9n/GXsajGQ== =F55F -----END PGP SIGNATURE-----