428322 – sys-apps/kmod has incorrect labels which causes modules not loading

Bug 428322 - sys-apps/kmod has incorrect labels which causes modules not loading

Summary: sys-apps/kmod has incorrect labels which causes modules not loading

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	SELinux (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Sven Vermeulen (RETIRED)

URL:
Whiteboard:	sec-policy r3
Keywords:

Depends on:
Blocks:

Reported:	2012-07-27 14:53 UTC by Amadeusz Sławiński
Modified:	2014-01-12 20:53 UTC (History)
CC List:	4 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
test3.te (test3.te,312 bytes, text/plain) 2012-11-10 18:20 UTC, Sven Vermeulen (RETIRED)	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Amadeusz Sławiński 2012-07-27 14:53:20 UTC

While investigating udev bug (427660), it was discovered that newer version of udev (>=182-r2) pull sys-apps/kmod as its modutils package.
This leads to problems as kmod works in busybox like manner ie. providing one binary to which others are linked.

-rwxr-xr-x. 1 root root system_u:object_r:bin_t 92120 Jul 27 15:39 /usr/bin/kmod
lrwxrwxrwx. 1 root root system_u:object_r:bin_t 13 Jul 27 15:39 /sbin/depmod -> /usr/bin/kmod
lrwxrwxrwx. 1 root root system_u:object_r:bin_t 13 Jul 27 15:39 /sbin/modprobe -> /usr/bin/kmod
lrwxrwxrwx. 1 root root system_u:object_r:bin_t 4 Jul 27 15:39 /usr/bin/insmod -> kmod
lrwxrwxrwx. 1 root root system_u:object_r:bin_t 4 Jul 27 15:39 /usr/bin/lsmod -> kmod
lrwxrwxrwx. 1 root root system_u:object_r:bin_t 4 Jul 27 15:39 /usr/bin/modinfo -> kmod
lrwxrwxrwx. 1 root root system_u:object_r:bin_t 4 Jul 27 15:39 /usr/bin/rmmod -> kmod

lsmod, modinfo are defined as bin_t so no problems here

modprobe, insmod, rmmod work fine when /usr/bin/kmod is marked as insmod_exec_t

depmod has defined depmod_exec_t type
it seems to work fine with /usr/bin/kmod being bin_t or depmod_exec_t (it would be nice if someone else also confirmed this as I had few strange issues which may have been caused by me forgetting to setting kmod to insmod_exec_t during test reboot so it can load modules)
however with /usr/bin/kmod being insmod_exec_t 'make modules_install' fails with:
  DEPMOD  3.4.6-hardened
FATAL: could not load System.map: Permission denied
make: *** [_modinst_post] Error 1

from logs:
Jul 27 16:12:10 lain kernel: [  166.227228] type=1400 audit(1343398330.356:212): avc:  denied  { search } for  pid=2930 comm="depmod" name="tmp" dev="dm-0" ino=25427969 scontext=staff_u:sysadm_r:insmod_t tcontext=system_u:object_r:tmp_t tclass=dir
Jul 27 16:12:10 lain kernel: [  166.233904] type=1400 audit(1343398330.363:213): avc:  denied  { search } for  pid=2934 comm="depmod" name="linux-3.4.6-hardened" dev="dm-0" ino=18877146 scontext=staff_u:sysadm_r:insmod_t tcontext=system_u:object_r:src_t tclass=dir

and no modules load on boot



Reproducible: Always

Comment 1 Matthew Thode ( prometheanfire ) archtester

2012-07-31 23:09:23 UTC

Amadeusz,  can you run in permissive and attach the relevant portion of your avc logs?
http://www.gentoo.org/proj/en/hardened/selinux-bugreporting.xml



Swift, let me know if I'm wrong about this (interfaces are my weak point).

there might need to be a new class and an interface in modutils to give it full access for that class.

also, you've been working on selinux/udev stuff right?

Comment 2 Amadeusz Sławiński 2012-08-06 17:58:32 UTC

As mentioned modprobe, insmod, rmmod work fine with /usr/bin/kmod as insmod_exec_t here are the logs when it is bin_t

modprobe in permissive (also same in enforcing)

Aug  6 19:38:56 lain kernel: [27676.459919] type=1400 audit(1344274736.096:140): avc:  denied  { sys_module } for  pid=21862 comm="modprobe" capability=16  scontext=staff_u:sysadm_r:sysadm_t tcontext=staff_u:sysadm_r:sysadm_t tclass=capability

insmod in permissive (also same in enforcing)

Aug  6 19:43:37 lain kernel: [27956.913993] type=1400 audit(1344275017.108:143): avc:  denied  { sys_module } for  pid=3627 comm="insmod" capability=16  scontext=staff_u:sysadm_r:sysadm_t tcontext=staff_u:sysadm_r:sysadm_t tclass=capability
context=staff_u:sysadm_r:sysadm_t tcontext=staff_u:sysadm_r:sysadm_t tclass=capability

rmmod in permissive (also same in enforcing)

Aug  6 19:44:45 lain kernel: [28024.815483] type=1400 audit(1344275085.144:147): avc:  denied  { sys_module } for  pid=6597 comm="rmmod" capability=16  scontext=staff_u:sysadm_r:sysadm_t tcontext=staff_u:sysadm_r:sysadm_t tclass=capability



depmod as bin_t just works (no denials in permissive or enforcing), so here are logs when /usr/bin/kmod is being labeled as depmod_exec_t

in enforcing:
Aug  6 19:48:07 lain kernel: [28227.043564] type=1400 audit(1344275287.772:152): avc:  denied  { search } for  pid=12259 comm="depmod" name="/" dev="tmpfs" ino=2075 scontext=staff_u:sysadm_r:depmod_t tcontext=system_u:object_r:var_run_t tclass=dir
Aug  6 19:48:07 lain kernel: [28227.043638] type=1400 audit(1344275287.772:153): avc:  denied  { search } for  pid=12259 comm="depmod" name="tmp" dev="dm-0" ino=25427969 scontext=staff_u:sysadm_r:depmod_t tcontext=system_u:object_r:tmp_t tclass=dir
Aug  6 19:48:07 lain kernel: [28227.065064] type=1400 audit(1344275287.796:154): avc:  denied  { search } for  pid=12263 comm="depmod" name="/" dev="tmpfs" ino=2075 scontext=staff_u:sysadm_r:depmod_t tcontext=system_u:object_r:var_run_t tclass=dir
Aug  6 19:48:07 lain kernel: [28227.065513] type=1400 audit(1344275287.796:155): avc:  denied  { unlink } for  pid=12263 comm="depmod" name="modules.dep" dev="dm-0" ino=15335500 scontext=staff_u:sysadm_r:depmod_t tcontext=staff_u:object_r:modules_object_t tclass=file
Aug  6 19:48:07 lain kernel: [28227.065527] type=1400 audit(1344275287.796:156): avc:  denied  { unlink } for  pid=12263 comm="depmod" name="modules.dep" dev="dm-0" ino=15335500 scontext=staff_u:sysadm_r:depmod_t tcontext=staff_u:object_r:modules_object_t tclass=file

and in permissive:
Aug  6 19:49:00 lain kernel: [28279.658037] type=1400 audit(1344275340.492:158): avc:  denied  { search } for  pid=12546 comm="depmod" name="depmod.9B24F3" dev="dm-0" ino=25559828 scontext=staff_u:sysadm_r:depmod_t tcontext=staff_u:object_r:user_tmp_t tclass=dir
Aug  6 19:49:00 lain kernel: [28279.658064] type=1400 audit(1344275340.492:159): avc:  denied  { read } for  pid=12546 comm="depmod" name="3.4.7-hardened" dev="dm-0" ino=25559832 scontext=staff_u:sysadm_r:depmod_t tcontext=staff_u:object_r:user_tmp_t tclass=dir
Aug  6 19:49:00 lain kernel: [28279.658085] type=1400 audit(1344275340.492:160): avc:  denied  { open } for  pid=12546 comm="depmod" name="3.4.7-hardened" dev="dm-0" ino=25559832 scontext=staff_u:sysadm_r:depmod_t tcontext=staff_u:object_r:user_tmp_t tclass=dir
Aug  6 19:49:00 lain kernel: [28279.658242] type=1400 audit(1344275340.492:161): avc:  denied  { write } for  pid=12546 comm="depmod" name="3.4.7-hardened" dev="dm-0" ino=25559832 scontext=staff_u:sysadm_r:depmod_t tcontext=staff_u:object_r:user_tmp_t tclass=dir
Aug  6 19:49:00 lain kernel: [28279.658262] type=1400 audit(1344275340.492:162): avc:  denied  { add_name } for  pid=12546 comm="depmod" name="modules.dep.tmp" scontext=staff_u:sysadm_r:depmod_t tcontext=staff_u:object_r:user_tmp_t tclass=dir
Aug  6 19:49:00 lain kernel: [28279.658300] type=1400 audit(1344275340.492:163): avc:  denied  { create } for  pid=12546 comm="depmod" name="modules.dep.tmp" scontext=staff_u:sysadm_r:depmod_t tcontext=staff_u:object_r:user_tmp_t tclass=file
Aug  6 19:49:00 lain kernel: [28279.658350] type=1400 audit(1344275340.492:164): avc:  denied  { write open } for  pid=12546 comm="depmod" name="modules.dep.tmp" dev="dm-0" ino=25559833 scontext=staff_u:sysadm_r:depmod_t tcontext=staff_u:object_r:user_tmp_t tclass=file
Aug  6 19:49:00 lain kernel: [28279.658381] type=1400 audit(1344275340.492:165): avc:  denied  { getattr } for  pid=12546 comm="depmod" path="/tmp/depmod.9B24F3/lib/modules/3.4.7-hardened/modules.dep.tmp" dev="dm-0" ino=25559833 scontext=staff_u:sysadm_r:depmod_t tcontext=staff_u:object_r:user_tmp_t tclass=file
Aug  6 19:49:00 lain kernel: [28279.658446] type=1400 audit(1344275340.492:166): avc:  denied  { remove_name } for  pid=12546 comm="depmod" name="modules.dep.tmp" dev="dm-0" ino=25559833 scontext=staff_u:sysadm_r:depmod_t tcontext=staff_u:object_r:user_tmp_t tclass=dir


and here are the logs for depmod as insmod_exec_t

enforcing:
Aug  6 19:55:29 lain kernel: [28667.796284] type=1400 audit(1344275729.400:189): avc:  denied  { search } for  pid=13866 comm="depmod" name="tmp" dev="dm-0" ino=25427969 scontext=staff_u:sysadm_r:insmod_t tcontext=system_u:object_r:tmp_t tclass=dir
Aug  6 19:55:29 lain kernel: [28667.802677] type=1400 audit(1344275729.408:190): avc:  denied  { search } for  pid=13870 comm="depmod" name="linux-3.4.7-hardened" dev="dm-0" ino=18219341 scontext=staff_u:sysadm_r:insmod_t tcontext=system_u:object_r:src_t tclass=dir


permissive:
Aug  6 19:54:34 lain kernel: [28613.199317] type=1400 audit(1344275674.696:169): avc:  denied  { search } for  pid=13571 comm="depmod" name="depmod.3uMENk" dev="dm-0" ino=25559828 scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:user_tmp_t tclass=dir
Aug  6 19:54:34 lain kernel: [28613.199342] type=1400 audit(1344275674.696:170): avc:  denied  { read } for  pid=13571 comm="depmod" name="3.4.7-hardened" dev="dm-0" ino=25559832 scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:user_tmp_t tclass=dir
Aug  6 19:54:34 lain kernel: [28613.199363] type=1400 audit(1344275674.696:171): avc:  denied  { open } for  pid=13571 comm="depmod" name="3.4.7-hardened" dev="dm-0" ino=25559832 scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:user_tmp_t tclass=dir
Aug  6 19:54:34 lain kernel: [28613.199518] type=1400 audit(1344275674.696:172): avc:  denied  { write } for  pid=13571 comm="depmod" name="3.4.7-hardened" dev="dm-0" ino=25559832 scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:user_tmp_t tclass=dir
Aug  6 19:54:34 lain kernel: [28613.199538] type=1400 audit(1344275674.696:173): avc:  denied  { add_name } for  pid=13571 comm="depmod" name="modules.dep.tmp" scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:user_tmp_t tclass=dir
Aug  6 19:54:34 lain kernel: [28613.199576] type=1400 audit(1344275674.696:174): avc:  denied  { create } for  pid=13571 comm="depmod" name="modules.dep.tmp" scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:user_tmp_t tclass=file
Aug  6 19:54:34 lain kernel: [28613.199628] type=1400 audit(1344275674.696:175): avc:  denied  { write open } for  pid=13571 comm="depmod" name="modules.dep.tmp" dev="dm-0" ino=25559833 scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:user_tmp_t tclass=file
Aug  6 19:54:34 lain kernel: [28613.199660] type=1400 audit(1344275674.696:176): avc:  denied  { getattr } for  pid=13571 comm="depmod" path="/tmp/depmod.3uMENk/lib/modules/3.4.7-hardened/modules.dep.tmp" dev="dm-0" ino=25559833 scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:user_tmp_t tclass=file
Aug  6 19:54:34 lain kernel: [28613.199725] type=1400 audit(1344275674.696:177): avc:  denied  { remove_name } for  pid=13571 comm="depmod" name="modules.dep.tmp" dev="dm-0" ino=25559833 scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:user_tmp_t tclass=dir
Aug  6 19:54:34 lain kernel: [28613.199745] type=1400 audit(1344275674.696:178): avc:  denied  { rename } for  pid=13571 comm="depmod" name="modules.dep.tmp" dev="dm-0" ino=25559833 scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:user_tmp_t tclass=file

Comment 3 Sven Vermeulen (RETIRED) gentoo-dev

2012-08-15 09:07:52 UTC

Will be in rev3

Comment 4 Sven Vermeulen (RETIRED) gentoo-dev

2012-08-16 14:09:42 UTC

So it's not about needing insmod_exec_t, my fault.

Comment 5 Amadeusz Sławiński 2012-10-09 17:37:53 UTC

As per IRC talk, everything except for depmod command works fine with kmod being insmod_exec_t

Enforcing:

# make modules_install
...
  INSTALL sound/pci/hda/snd-hda-codec.ko
  INSTALL sound/pci/hda/snd-hda-intel.ko
  INSTALL sound/soundcore.ko
  DEPMOD  3.5.5-hardened
FATAL: could not load System.map: Permission denied
make: *** [_modinst_post] Error 1

Oct  9 19:29:45 localhost kernel: [20249.101055] type=1400 audit(1349803785.845:168): avc:  denied  { search } for  pid=10710 comm="depmod" name="tmp" dev="dm-0" ino=262145 scontext=staff_u:sysadm_r:insmod_t tcontext=system_u:object_r:tmp_t tclass=dir
Oct  9 19:29:45 localhost kernel: [20249.118921] type=1400 audit(1349803785.865:169): avc:  denied  { search } for  pid=10714 comm="depmod" name="linux-3.5.5-hardened" dev="dm-0" ino=13896146 scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:src_t tclass=dir

Permissive:

Oct  9 19:31:05 localhost kernel: [20328.886166] type=1400 audit(1349803865.788:171): avc:  denied  { search } for  pid=11100 comm="depmod" name="depmod.rEfxFw" dev="dm-0" ino=6444523 scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:user_tmp_t tclass=dir
Oct  9 19:31:05 localhost kernel: [20328.886190] type=1400 audit(1349803865.788:172): avc:  denied  { read } for  pid=11100 comm="depmod" name="3.5.5-hardened" dev="dm-0" ino=6444526 scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:user_tmp_t tclass=dir
Oct  9 19:31:05 localhost kernel: [20328.886212] type=1400 audit(1349803865.788:173): avc:  denied  { open } for  pid=11100 comm="depmod" path="/tmp/depmod.rEfxFw/lib/modules/3.5.5-hardened" dev="dm-0" ino=6444526 scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:user_tmp_t tclass=dir
Oct  9 19:31:05 localhost kernel: [20328.886393] type=1400 audit(1349803865.788:174): avc:  denied  { write } for  pid=11100 comm="depmod" name="3.5.5-hardened" dev="dm-0" ino=6444526 scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:user_tmp_t tclass=dir
Oct  9 19:31:05 localhost kernel: [20328.886409] type=1400 audit(1349803865.788:175): avc:  denied  { add_name } for  pid=11100 comm="depmod" name="modules.dep.tmp" scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:user_tmp_t tclass=dir
Oct  9 19:31:05 localhost kernel: [20328.886457] type=1400 audit(1349803865.788:176): avc:  denied  { create } for  pid=11100 comm="depmod" name="modules.dep.tmp" scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:user_tmp_t tclass=file
Oct  9 19:31:05 localhost kernel: [20328.886510] type=1400 audit(1349803865.788:177): avc:  denied  { write open } for  pid=11100 comm="depmod" path="/tmp/depmod.rEfxFw/lib/modules/3.5.5-hardened/modules.dep.tmp" dev="dm-0" ino=6444527 scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:user_tmp_t tclass=file
Oct  9 19:31:05 localhost kernel: [20328.886544] type=1400 audit(1349803865.788:178): avc:  denied  { getattr } for  pid=11100 comm="depmod" path="/tmp/depmod.rEfxFw/lib/modules/3.5.5-hardened/modules.dep.tmp" dev="dm-0" ino=6444527 scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:user_tmp_t tclass=file
Oct  9 19:31:05 localhost kernel: [20328.886613] type=1400 audit(1349803865.788:179): avc:  denied  { remove_name } for  pid=11100 comm="depmod" name="modules.dep.tmp" dev="dm-0" ino=6444527 scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:user_tmp_t tclass=dir

Comment 6 Sven Vermeulen (RETIRED) gentoo-dev

2012-11-10 18:20:43 UTC

Created attachment 329134 [details]
test3.te

Can you try out this test module?

It introduces a type for temporary files created in the insmod_t domain and allows the insmod_t domain manage rights on it. It also adds in read permissions on the /usr/src location (files_read_usr_src_files).

Comment 7 Amadeusz Sławiński 2012-11-11 12:09:20 UTC

# semodule -i /root/test3.pp
# make modules_install
  INSTALL drivers/bluetooth/ath3k.ko
  INSTALL drivers/bluetooth/btusb.ko
  INSTALL drivers/net/wireless/ath/ath9k/ath9k.ko
  INSTALL drivers/net/wireless/ath/ath9k/ath9k_common.ko
  INSTALL drivers/net/wireless/ath/ath9k/ath9k_hw.ko
  INSTALL net/bluetooth/bluetooth.ko
  INSTALL net/bluetooth/rfcomm/rfcomm.ko
  INSTALL net/mac80211/mac80211.ko
  DEPMOD  3.6.6-hardened
depmod: ERROR: openat(/lib/modules/99.98.3.6.6-hardened, modules.dep.tmp, 1101, 644): Permission denied
depmod: ERROR: openat(/lib/modules/99.98.3.6.6-hardened, modules.dep.bin.tmp, 1101, 644): Permission denied
depmod: ERROR: openat(/lib/modules/99.98.3.6.6-hardened, modules.alias.tmp, 1101, 644): Permission denied
depmod: ERROR: openat(/lib/modules/99.98.3.6.6-hardened, modules.alias.bin.tmp, 1101, 644): Permission denied
depmod: ERROR: openat(/lib/modules/99.98.3.6.6-hardened, modules.softdep.tmp, 1101, 644): Permission denied
depmod: ERROR: openat(/lib/modules/99.98.3.6.6-hardened, modules.symbols.tmp, 1101, 644): Permission denied
depmod: ERROR: openat(/lib/modules/99.98.3.6.6-hardened, modules.symbols.bin.tmp, 1101, 644): Permission denied
depmod: ERROR: openat(/lib/modules/99.98.3.6.6-hardened, modules.builtin.bin.tmp, 1101, 644): Permission denied
depmod: ERROR: openat(/lib/modules/99.98.3.6.6-hardened, modules.devname.tmp, 1101, 644): Permission denied


In permissive:
Nov 11 13:07:21 lain kernel: [ 2149.844168] type=1400 audit(1352635641.800:469): avc:  denied  { read } for  pid=23274 comm="depmod" name="3.6.6-hardened" dev="dm-0" ino=6422641 scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:user_tmp_t tclass=dir
Nov 11 13:07:21 lain kernel: [ 2149.844197] type=1400 audit(1352635641.800:470): avc:  denied  { open } for  pid=23274 comm="depmod" path="/tmp/depmod.UEGmQH/lib/modules/3.6.6-hardened" dev="dm-0" ino=6422641 scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:user_tmp_t tclass=dir
Nov 11 13:07:21 lain kernel: [ 2149.844512] type=1400 audit(1352635641.800:471): avc:  denied  { write } for  pid=23274 comm="depmod" name="3.6.6-hardened" dev="dm-0" ino=6422641 scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:user_tmp_t tclass=dir
Nov 11 13:07:21 lain kernel: [ 2149.844538] type=1400 audit(1352635641.800:472): avc:  denied  { add_name } for  pid=23274 comm="depmod" name="modules.dep.tmp" scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:user_tmp_t tclass=dir
Nov 11 13:07:21 lain kernel: [ 2149.844598] type=1400 audit(1352635641.800:473): avc:  denied  { create } for  pid=23274 comm="depmod" name="modules.dep.tmp" scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:user_tmp_t tclass=file
Nov 11 13:07:21 lain kernel: [ 2149.844663] type=1400 audit(1352635641.800:474): avc:  denied  { write open } for  pid=23274 comm="depmod" path="/tmp/depmod.UEGmQH/lib/modules/3.6.6-hardened/modules.dep.tmp" dev="dm-0" ino=6422642 scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:user_tmp_t tclass=file
Nov 11 13:07:21 lain kernel: [ 2149.844709] type=1400 audit(1352635641.800:475): avc:  denied  { getattr } for  pid=23274 comm="depmod" path="/tmp/depmod.UEGmQH/lib/modules/3.6.6-hardened/modules.dep.tmp" dev="dm-0" ino=6422642 scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:user_tmp_t tclass=file
Nov 11 13:07:21 lain kernel: [ 2149.844828] type=1400 audit(1352635641.800:476): avc:  denied  { remove_name } for  pid=23274 comm="depmod" name="modules.dep.tmp" dev="dm-0" ino=6422642 scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:user_tmp_t tclass=dir
Nov 11 13:07:21 lain kernel: [ 2149.844853] type=1400 audit(1352635641.800:477): avc:  denied  { rename } for  pid=23274 comm="depmod" name="modules.dep.tmp" dev="dm-0" ino=6422642 scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:user_tmp_t tclass=file

In enforcing:
Nov 11 13:08:08 lain kernel: [ 2196.632809] type=1400 audit(1352635688.681:511): avc:  denied  { search } for  pid=24023 comm="depmod" name="depmod.2iNvXf" dev="dm-0" ino=6422637 scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:user_tmp_t tclass=dir
Nov 11 13:08:08 lain kernel: [ 2196.662084] type=1400 audit(1352635688.710:512): avc:  denied  { write } for  pid=24026 comm="depmod" name="3.6.6-hardened" dev="dm-0" ino=18352360 scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:modules_object_t tclass=dir
Nov 11 13:08:08 lain kernel: [ 2196.662151] type=1400 audit(1352635688.710:513): avc:  denied  { write } for  pid=24026 comm="depmod" name="3.6.6-hardened" dev="dm-0" ino=18352360 scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:modules_object_t tclass=dir
Nov 11 13:08:08 lain kernel: [ 2196.662179] type=1400 audit(1352635688.710:514): avc:  denied  { write } for  pid=24026 comm="depmod" name="3.6.6-hardened" dev="dm-0" ino=18352360 scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:modules_object_t tclass=dir
Nov 11 13:08:08 lain kernel: [ 2196.662207] type=1400 audit(1352635688.710:515): avc:  denied  { write } for  pid=24026 comm="depmod" name="3.6.6-hardened" dev="dm-0" ino=18352360 scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:modules_object_t tclass=dir
Nov 11 13:08:08 lain kernel: [ 2196.662232] type=1400 audit(1352635688.710:516): avc:  denied  { write } for  pid=24026 comm="depmod" name="3.6.6-hardened" dev="dm-0" ino=18352360 scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:modules_object_t tclass=dir
Nov 11 13:08:08 lain kernel: [ 2196.662272] type=1400 audit(1352635688.710:517): avc:  denied  { write } for  pid=24026 comm="depmod" name="3.6.6-hardened" dev="dm-0" ino=18352360 scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:modules_object_t tclass=dir
Nov 11 13:08:08 lain kernel: [ 2196.662297] type=1400 audit(1352635688.710:518): avc:  denied  { write } for  pid=24026 comm="depmod" name="3.6.6-hardened" dev="dm-0" ino=18352360 scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:modules_object_t tclass=dir
Nov 11 13:08:08 lain kernel: [ 2196.662326] type=1400 audit(1352635688.710:519): avc:  denied  { write } for  pid=24026 comm="depmod" name="3.6.6-hardened" dev="dm-0" ino=18352360 scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:modules_object_t tclass=dir

Comment 8 Sven Vermeulen (RETIRED) gentoo-dev

2012-11-12 20:34:14 UTC

Ok, can you do two things please?

First, add in a "files_manage_kernel_modules(insmod_t)" and retry.

Second, try to find out what the following denial is for:
"""
Nov 11 13:08:08 lain kernel: [ 2196.632809] type=1400 audit(1352635688.681:511): avc:  denied  { search } for  pid=24023 comm="depmod" name="depmod.2iNvXf" dev="dm-0" ino=6422637 scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:user_tmp_t tclass=dir
"""

The directory probably doesn't exist anymore, but I am disappointed that it is still user_tmp_t and am wondering how it gets created.

Comment 9 Amadeusz Sławiński 2012-11-12 21:04:31 UTC

Seems like depmod is called twice with following options:
-b /tmp/depmod.gX5TPE 3.6.6-hardened
-ae -F System.map 99.98.3.6.6-hardened

Also look at scripts/depmod.sh in linux source dir, it calls mktemp which seems to generate random numbers

With files_manage_kernel_modules(insmod_t)

...
  DEPMOD  3.6.6-hardened
depmod: FATAL: renameat(/lib/modules/99.98.3.6.6-hardened, modules.dep.tmp, /lib/modules/99.98.3.6.6-hardened, modules.dep): Permission denied
make: *** [_modinst_post] Error 1

Enforcing:
Nov 12 21:51:51 lain kernel: [12655.058949] type=1400 audit(1352753511.406:84): avc:  denied  { search } for  pid=13583 comm="depmod" name="depmod.4BHJIK" dev="dm-0" ino=6304615 scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:user_tmp_t tclass=dir
Nov 12 21:51:51 lain kernel: [12655.082498] type=1400 audit(1352753511.430:85): avc:  denied  { unlink } for  pid=13587 comm="depmod" name="modules.dep" dev="dm-0" ino=18352395 scontext=staff_u:sysadm_r:insmod_t tcontext=system_u:object_r:modules_dep_t tclass=file
Nov 12 21:51:51 lain kernel: [12655.082517] type=1400 audit(1352753511.430:86): avc:  denied  { unlink } for  pid=13587 comm="depmod" name="modules.dep" dev="dm-0" ino=18352395 scontext=staff_u:sysadm_r:insmod_t tcontext=system_u:object_r:modules_dep_t tclass=file

Permissive:
Nov 12 21:53:25 lain kernel: [12748.927893] type=1400 audit(1352753605.461:88): avc:  denied  { read } for  pid=16291 comm="depmod" name="3.6.6-hardened" dev="dm-0" ino=6304618 scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:user_tmp_t tclass=dir
Nov 12 21:53:25 lain kernel: [12748.927918] type=1400 audit(1352753605.461:89): avc:  denied  { open } for  pid=16291 comm="depmod" path="/tmp/depmod.zE1YLJ/lib/modules/3.6.6-hardened" dev="dm-0" ino=6304618 scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:user_tmp_t tclass=dir
Nov 12 21:53:25 lain kernel: [12748.928210] type=1400 audit(1352753605.462:90): avc:  denied  { write } for  pid=16291 comm="depmod" name="3.6.6-hardened" dev="dm-0" ino=6304618 scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:user_tmp_t tclass=dir
Nov 12 21:53:25 lain kernel: [12748.928228] type=1400 audit(1352753605.462:91): avc:  denied  { add_name } for  pid=16291 comm="depmod" name="modules.dep.tmp" scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:user_tmp_t tclass=dir
Nov 12 21:53:25 lain kernel: [12748.928282] type=1400 audit(1352753605.462:92): avc:  denied  { create } for  pid=16291 comm="depmod" name="modules.dep.tmp" scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:user_tmp_t tclass=file
Nov 12 21:53:25 lain kernel: [12748.928341] type=1400 audit(1352753605.462:93): avc:  denied  { write open } for  pid=16291 comm="depmod" path="/tmp/depmod.zE1YLJ/lib/modules/3.6.6-hardened/modules.dep.tmp" dev="dm-0" ino=6304619 scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:user_tmp_t tclass=file
Nov 12 21:53:25 lain kernel: [12748.928375] type=1400 audit(1352753605.462:94): avc:  denied  { getattr } for  pid=16291 comm="depmod" path="/tmp/depmod.zE1YLJ/lib/modules/3.6.6-hardened/modules.dep.tmp" dev="dm-0" ino=6304619 scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:user_tmp_t tclass=file
Nov 12 21:53:25 lain kernel: [12748.928468] type=1400 audit(1352753605.462:95): avc:  denied  { remove_name } for  pid=16291 comm="depmod" name="modules.dep.tmp" dev="dm-0" ino=6304619 scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:user_tmp_t tclass=dir
Nov 12 21:53:25 lain kernel: [12748.928490] type=1400 audit(1352753605.462:96): avc:  denied  { rename } for  pid=16291 comm="depmod" name="modules.dep.tmp" dev="dm-0" ino=6304619 scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:user_tmp_t tclass=file

Comment 10 Sven Vermeulen (RETIRED) gentoo-dev

2013-08-15 17:22:08 UTC

Ok got it to work with the following additions:

read_files_pattern(insmod_t, src_t, src_t)
userdom_manage_user_tmp_files(insmod_t)
userdom_manage_user_tmp_dirs(insmod_t)
files_manage_kernel_modules(insmod_t)

I don't have anything regarding modules_dep_t in my cases here though. 

If you do still need rights, care to see if the unlink rights are the only ones (probably not)?

allow insmod_t modules_dep_t:file delete_file_perms;

Comment 11 Amadeusz Sławiński 2013-08-22 19:54:03 UTC

Works ok as long, as /lib/modules exists and has correct label
if it doesn't it is created with incorrect label (lib_t) so depmod fails

Comment 12 Sven Vermeulen (RETIRED) gentoo-dev

2013-08-23 08:10:03 UTC

Ok, added in the file transition to create /lib/modules with modules_object_t type.

Comment 13 Amadeusz Sławiński 2013-08-23 16:58:41 UTC

doesn't seem to work

# make modules_install
  INSTALL sound/core/oss/snd-mixer-oss.ko
  INSTALL sound/core/oss/snd-pcm-oss.ko
  INSTALL sound/core/seq/oss/snd-seq-oss.ko
  INSTALL sound/core/seq/snd-seq-device.ko
  INSTALL sound/core/seq/snd-seq-midi-event.ko
  INSTALL sound/core/seq/snd-seq.ko
  INSTALL sound/core/snd-hrtimer.ko
  INSTALL sound/core/snd-hwdep.ko
  INSTALL sound/core/snd-page-alloc.ko
  INSTALL sound/core/snd-pcm.ko
  INSTALL sound/core/snd-timer.ko
  INSTALL sound/core/snd.ko
  INSTALL sound/pci/hda/snd-hda-codec-analog.ko
  INSTALL sound/pci/hda/snd-hda-codec-ca0110.ko
  INSTALL sound/pci/hda/snd-hda-codec-ca0132.ko
  INSTALL sound/pci/hda/snd-hda-codec-cirrus.ko
  INSTALL sound/pci/hda/snd-hda-codec-cmedia.ko
  INSTALL sound/pci/hda/snd-hda-codec-conexant.ko
  INSTALL sound/pci/hda/snd-hda-codec-hdmi.ko
  INSTALL sound/pci/hda/snd-hda-codec-idt.ko
  INSTALL sound/pci/hda/snd-hda-codec-realtek.ko
  INSTALL sound/pci/hda/snd-hda-codec-si3054.ko
  INSTALL sound/pci/hda/snd-hda-codec-via.ko
  INSTALL sound/pci/hda/snd-hda-codec.ko
  INSTALL sound/pci/hda/snd-hda-intel.ko
  INSTALL sound/soundcore.ko
  DEPMOD  3.10.9-hardened
depmod: ERROR: openat(/lib/modules/3.10.9-hardened, modules.dep.tmp, 1101, 644): Permission denied
depmod: ERROR: openat(/lib/modules/3.10.9-hardened, modules.dep.bin.tmp, 1101, 644): Permission denied
depmod: ERROR: openat(/lib/modules/3.10.9-hardened, modules.alias.tmp, 1101, 644): Permission denied
depmod: ERROR: openat(/lib/modules/3.10.9-hardened, modules.alias.bin.tmp, 1101, 644): Permission denied
depmod: ERROR: openat(/lib/modules/3.10.9-hardened, modules.softdep.tmp, 1101, 644): Permission denied
depmod: ERROR: openat(/lib/modules/3.10.9-hardened, modules.symbols.tmp, 1101, 644): Permission denied
depmod: ERROR: openat(/lib/modules/3.10.9-hardened, modules.symbols.bin.tmp, 1101, 644): Permission denied
depmod: ERROR: openat(/lib/modules/3.10.9-hardened, modules.builtin.bin.tmp, 1101, 644): Permission denied
depmod: ERROR: openat(/lib/modules/3.10.9-hardened, modules.devname.tmp, 1101, 644): Permission denied
# tailf /var/log/avc.log
Aug 23 18:46:42 ananke kernel: [24409.696001] type=1400 audit(1377276402.674:854): avc:  denied  { relabelfrom } for  pid=29915 comm="cp" name="admin" dev="dm-0" ino=7210198 scontext=staff_u:sysadm_r:portage_sandbox_t tcontext=staff_u:object_r:portage_tmp_t tclass=dir
Aug 23 18:57:52 ananke kernel: [25079.472239] type=1400 audit(1377277072.299:901): avc:  denied  { create } for  pid=28172 comm="depmod" name="modules.dep.tmp" scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:lib_t tclass=file
Aug 23 18:57:52 ananke kernel: [25079.472398] type=1400 audit(1377277072.299:902): avc:  denied  { create } for  pid=28172 comm="depmod" name="modules.dep.bin.tmp" scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:lib_t tclass=file
Aug 23 18:57:52 ananke kernel: [25079.472495] type=1400 audit(1377277072.299:903): avc:  denied  { create } for  pid=28172 comm="depmod" name="modules.alias.tmp" scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:lib_t tclass=file
Aug 23 18:57:52 ananke kernel: [25079.472599] type=1400 audit(1377277072.299:904): avc:  denied  { create } for  pid=28172 comm="depmod" name="modules.alias.bin.tmp" scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:lib_t tclass=file
Aug 23 18:57:52 ananke kernel: [25079.472694] type=1400 audit(1377277072.299:905): avc:  denied  { create } for  pid=28172 comm="depmod" name="modules.softdep.tmp" scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:lib_t tclass=file
Aug 23 18:57:52 ananke kernel: [25079.472814] type=1400 audit(1377277072.299:906): avc:  denied  { create } for  pid=28172 comm="depmod" name="modules.symbols.tmp" scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:lib_t tclass=file
Aug 23 18:57:52 ananke kernel: [25079.472914] type=1400 audit(1377277072.300:907): avc:  denied  { create } for  pid=28172 comm="depmod" name="modules.symbols.bin.tmp" scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:lib_t tclass=file
Aug 23 18:57:52 ananke kernel: [25079.473008] type=1400 audit(1377277072.300:908): avc:  denied  { create } for  pid=28172 comm="depmod" name="modules.builtin.bin.tmp" scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:lib_t tclass=file
Aug 23 18:57:52 ananke kernel: [25079.473130] type=1400 audit(1377277072.300:909): avc:  denied  { create } for  pid=28172 comm="depmod" name="modules.devname.tmp" scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:lib_t tclass=file

Comment 14 Sven Vermeulen (RETIRED) gentoo-dev

2013-08-23 17:37:52 UTC

Ok I removed the file transition again.

Seems like it is the user domain (the domain that is calling "make modules_install") that is creating the directory.

I'm not going to add in a file transition for "modules" directory in a lib_t towards modules_object_t because I can imagine that there are other "modules" directories that would need to remain labeled as lib_t for now.

So, if we hit this, the currently best course of action is to run "restorecon -R /lib/modules" and we're all set (also for future).

Comment 15 Sven Vermeulen (RETIRED) gentoo-dev

2013-09-26 17:33:38 UTC

r3 is now in the tree, ~arch'ed

Comment 16 Sven Vermeulen (RETIRED) gentoo-dev

2014-01-12 20:53:36 UTC

r4 is now stable in the tree