From mboxrd@z Thu Jan 1 00:00:00 1970 From: dac.override@gmail.com (Dominick Grift) Date: Tue, 6 Oct 2015 13:46:13 +0200 Subject: [refpolicy] modules_object_t vs. modules_dep_t labeling In-Reply-To: <20151006112913.GB27034@x250> References: <560D03C1.9060102@redhat.com> <20151005163442.GB21879@x250> <5612CCDC.3020900@tresys.com> <20151006112913.GB27034@x250> Message-ID: <20151006114612.GC27034@x250> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Tue, Oct 06, 2015 at 01:29:13PM +0200, Dominick Grift wrote: > On Mon, Oct 05, 2015 at 03:17:48PM -0400, Christopher J. PeBenito wrote: > > On 10/5/2015 12:34 PM, Dominick Grift wrote: > > > On Thu, Oct 01, 2015 at 11:58:25AM +0200, Miroslav Grepl wrote: > > >> We have more and more bugs with mislabeled /lib/modules/*/modules.dep* > > >> files. There is a default label for them - modules_dep_t but we get them > > >> labeled as modules_object_t. Yes, we can add filename transition rules > > >> and also find a reason why they get wrong labeling (in progress). > > > > > >> But is there a big advantage to have these two labels. At least I don't > > >> see it from the policy point of view (sesearch). > > > > > >> Thank you. > > > > > > > > > Still not verified but: > > > > > > /sbin/depmod is a link to /bin/kmod > > > > > > So i suspect /bin/kmod now creates the modules_dep files via rpm_script_t %post and > > > the /sbin/new_kernel_pkg shell script: > > > > > > doDepmod() { > > > [ -n "$verbose" ] && echo "running depmod for $version" > > > depmod -ae -F /boot/System.map-$version $version > > > } > > > > > > but because insmod_t is lacking the appropriate auto object type transitions and because insmod is > > > unconfined, the files get created with the wrong label. > > > > > > So you should copy the auto object type transition rules for modules_dep > > > from depmod to insmod i suspect > > > > > > I would not want insmod_t to be able to mess with module_object_t type > > > files. > > > > > > But yes, in Fedora insmod is unconfined... > > > > Thanks for digging through this issue. For the time being, we'll keep > > what we have. Miroslav, if the type transition Dominick suggests works, > > then we can put it in refpolicy. > > > > I have confirmed that the above applies, and have it implemented now in > my personal policy. > > If one ensures that /bin/kmod is labeled with the insmod_exec_t type and > if one ensures that insmod_t creates files in modules_object_t type > directories with a auto object type transition from modules_object_t to > modules_dep_t then the module dep files should get labeled properly > (there should be no real need for name-base auto object type transitions) > > if you do use name-based auto object type transitions then make sure you > at least add name modules.dep.tmp (it renames it later to modules.dep) > Although there seems to be more going on (something else seems to be maintaining modules_dep files as well). I need a few more kernel installs to see what is going on exactly besides kmod creating modules.dep.tmp and maybe some other module_dep files - -- 02DFF788 4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788 https://sks-keyservers.net/pks/lookup?op=get&search=0x314883A202DFF788 Dominick Grift -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQGcBAEBCgAGBQJWE7SAAAoJENAR6kfG5xmchFAMAMk1voPIOzaPGdMynYxZ2HeB Jmi+iDBHDn39AbGfGCHikjF3J3/CCZmwgXF2qSHX79J9dgYjmLdFGo4xhJ+TV/Vy /J3LU8bmsr8gQxhveIX4Jv4hCzoMw+MjWT87Qg/D/fgac2ndDQ37sS+87J/khi3Q +0b3VQD5VbBPpAY82s6WA7J2W9LFKx5QQa+5+q0/jqJIiSXkgr9J9CTClJlORsgA v8k+XL9B3GbEmqgx0XNnQsv2+xSz3jWYmpKD1FqzCMTfxtHwLHZwhwGp0a79RCjG d1/3Ba6XoiThAMdC3ZMxM0lI3EA72G3M9ARTucOBjWa7WcoXI/vdaUPZjNEsWftQ xmr14h/qf5qCHnD7jkOrBApwr5PFNhsq1BRg3yX/UlsFpg16M3zXS6KO29+BxVXh QOECPiWIq2VaAfQ9lSF9i0dx1DqXr2vqoFeeYIIIwUfWJthUJzD+mkjSZtSAhr6i ecytVSE9kExx1ezuovz+OOcKp60aP86wTbRT3FKIIg== =9I78 -----END PGP SIGNATURE-----