While investigating udev bug (427660), it was discovered that newer version of udev (>=182-r2) pull sys-apps/kmod as its modutils package. This leads to problems as kmod works in busybox like manner ie. providing one binary to which others are linked. -rwxr-xr-x. 1 root root system_u:object_r:bin_t 92120 Jul 27 15:39 /usr/bin/kmod lrwxrwxrwx. 1 root root system_u:object_r:bin_t 13 Jul 27 15:39 /sbin/depmod -> /usr/bin/kmod lrwxrwxrwx. 1 root root system_u:object_r:bin_t 13 Jul 27 15:39 /sbin/modprobe -> /usr/bin/kmod lrwxrwxrwx. 1 root root system_u:object_r:bin_t 4 Jul 27 15:39 /usr/bin/insmod -> kmod lrwxrwxrwx. 1 root root system_u:object_r:bin_t 4 Jul 27 15:39 /usr/bin/lsmod -> kmod lrwxrwxrwx. 1 root root system_u:object_r:bin_t 4 Jul 27 15:39 /usr/bin/modinfo -> kmod lrwxrwxrwx. 1 root root system_u:object_r:bin_t 4 Jul 27 15:39 /usr/bin/rmmod -> kmod lsmod, modinfo are defined as bin_t so no problems here modprobe, insmod, rmmod work fine when /usr/bin/kmod is marked as insmod_exec_t depmod has defined depmod_exec_t type it seems to work fine with /usr/bin/kmod being bin_t or depmod_exec_t (it would be nice if someone else also confirmed this as I had few strange issues which may have been caused by me forgetting to setting kmod to insmod_exec_t during test reboot so it can load modules) however with /usr/bin/kmod being insmod_exec_t 'make modules_install' fails with: DEPMOD 3.4.6-hardened FATAL: could not load System.map: Permission denied make: *** [_modinst_post] Error 1 from logs: Jul 27 16:12:10 lain kernel: [ 166.227228] type=1400 audit(1343398330.356:212): avc: denied { search } for pid=2930 comm="depmod" name="tmp" dev="dm-0" ino=25427969 scontext=staff_u:sysadm_r:insmod_t tcontext=system_u:object_r:tmp_t tclass=dir Jul 27 16:12:10 lain kernel: [ 166.233904] type=1400 audit(1343398330.363:213): avc: denied { search } for pid=2934 comm="depmod" name="linux-3.4.6-hardened" dev="dm-0" ino=18877146 scontext=staff_u:sysadm_r:insmod_t tcontext=system_u:object_r:src_t tclass=dir and no modules load on boot Reproducible: Always
Amadeusz, can you run in permissive and attach the relevant portion of your avc logs? http://www.gentoo.org/proj/en/hardened/selinux-bugreporting.xml Swift, let me know if I'm wrong about this (interfaces are my weak point). there might need to be a new class and an interface in modutils to give it full access for that class. also, you've been working on selinux/udev stuff right?
As mentioned modprobe, insmod, rmmod work fine with /usr/bin/kmod as insmod_exec_t here are the logs when it is bin_t modprobe in permissive (also same in enforcing) Aug 6 19:38:56 lain kernel: [27676.459919] type=1400 audit(1344274736.096:140): avc: denied { sys_module } for pid=21862 comm="modprobe" capability=16 scontext=staff_u:sysadm_r:sysadm_t tcontext=staff_u:sysadm_r:sysadm_t tclass=capability insmod in permissive (also same in enforcing) Aug 6 19:43:37 lain kernel: [27956.913993] type=1400 audit(1344275017.108:143): avc: denied { sys_module } for pid=3627 comm="insmod" capability=16 scontext=staff_u:sysadm_r:sysadm_t tcontext=staff_u:sysadm_r:sysadm_t tclass=capability context=staff_u:sysadm_r:sysadm_t tcontext=staff_u:sysadm_r:sysadm_t tclass=capability rmmod in permissive (also same in enforcing) Aug 6 19:44:45 lain kernel: [28024.815483] type=1400 audit(1344275085.144:147): avc: denied { sys_module } for pid=6597 comm="rmmod" capability=16 scontext=staff_u:sysadm_r:sysadm_t tcontext=staff_u:sysadm_r:sysadm_t tclass=capability depmod as bin_t just works (no denials in permissive or enforcing), so here are logs when /usr/bin/kmod is being labeled as depmod_exec_t in enforcing: Aug 6 19:48:07 lain kernel: [28227.043564] type=1400 audit(1344275287.772:152): avc: denied { search } for pid=12259 comm="depmod" name="/" dev="tmpfs" ino=2075 scontext=staff_u:sysadm_r:depmod_t tcontext=system_u:object_r:var_run_t tclass=dir Aug 6 19:48:07 lain kernel: [28227.043638] type=1400 audit(1344275287.772:153): avc: denied { search } for pid=12259 comm="depmod" name="tmp" dev="dm-0" ino=25427969 scontext=staff_u:sysadm_r:depmod_t tcontext=system_u:object_r:tmp_t tclass=dir Aug 6 19:48:07 lain kernel: [28227.065064] type=1400 audit(1344275287.796:154): avc: denied { search } for pid=12263 comm="depmod" name="/" dev="tmpfs" ino=2075 scontext=staff_u:sysadm_r:depmod_t tcontext=system_u:object_r:var_run_t tclass=dir Aug 6 19:48:07 lain kernel: [28227.065513] type=1400 audit(1344275287.796:155): avc: denied { unlink } for pid=12263 comm="depmod" name="modules.dep" dev="dm-0" ino=15335500 scontext=staff_u:sysadm_r:depmod_t tcontext=staff_u:object_r:modules_object_t tclass=file Aug 6 19:48:07 lain kernel: [28227.065527] type=1400 audit(1344275287.796:156): avc: denied { unlink } for pid=12263 comm="depmod" name="modules.dep" dev="dm-0" ino=15335500 scontext=staff_u:sysadm_r:depmod_t tcontext=staff_u:object_r:modules_object_t tclass=file and in permissive: Aug 6 19:49:00 lain kernel: [28279.658037] type=1400 audit(1344275340.492:158): avc: denied { search } for pid=12546 comm="depmod" name="depmod.9B24F3" dev="dm-0" ino=25559828 scontext=staff_u:sysadm_r:depmod_t tcontext=staff_u:object_r:user_tmp_t tclass=dir Aug 6 19:49:00 lain kernel: [28279.658064] type=1400 audit(1344275340.492:159): avc: denied { read } for pid=12546 comm="depmod" name="3.4.7-hardened" dev="dm-0" ino=25559832 scontext=staff_u:sysadm_r:depmod_t tcontext=staff_u:object_r:user_tmp_t tclass=dir Aug 6 19:49:00 lain kernel: [28279.658085] type=1400 audit(1344275340.492:160): avc: denied { open } for pid=12546 comm="depmod" name="3.4.7-hardened" dev="dm-0" ino=25559832 scontext=staff_u:sysadm_r:depmod_t tcontext=staff_u:object_r:user_tmp_t tclass=dir Aug 6 19:49:00 lain kernel: [28279.658242] type=1400 audit(1344275340.492:161): avc: denied { write } for pid=12546 comm="depmod" name="3.4.7-hardened" dev="dm-0" ino=25559832 scontext=staff_u:sysadm_r:depmod_t tcontext=staff_u:object_r:user_tmp_t tclass=dir Aug 6 19:49:00 lain kernel: [28279.658262] type=1400 audit(1344275340.492:162): avc: denied { add_name } for pid=12546 comm="depmod" name="modules.dep.tmp" scontext=staff_u:sysadm_r:depmod_t tcontext=staff_u:object_r:user_tmp_t tclass=dir Aug 6 19:49:00 lain kernel: [28279.658300] type=1400 audit(1344275340.492:163): avc: denied { create } for pid=12546 comm="depmod" name="modules.dep.tmp" scontext=staff_u:sysadm_r:depmod_t tcontext=staff_u:object_r:user_tmp_t tclass=file Aug 6 19:49:00 lain kernel: [28279.658350] type=1400 audit(1344275340.492:164): avc: denied { write open } for pid=12546 comm="depmod" name="modules.dep.tmp" dev="dm-0" ino=25559833 scontext=staff_u:sysadm_r:depmod_t tcontext=staff_u:object_r:user_tmp_t tclass=file Aug 6 19:49:00 lain kernel: [28279.658381] type=1400 audit(1344275340.492:165): avc: denied { getattr } for pid=12546 comm="depmod" path="/tmp/depmod.9B24F3/lib/modules/3.4.7-hardened/modules.dep.tmp" dev="dm-0" ino=25559833 scontext=staff_u:sysadm_r:depmod_t tcontext=staff_u:object_r:user_tmp_t tclass=file Aug 6 19:49:00 lain kernel: [28279.658446] type=1400 audit(1344275340.492:166): avc: denied { remove_name } for pid=12546 comm="depmod" name="modules.dep.tmp" dev="dm-0" ino=25559833 scontext=staff_u:sysadm_r:depmod_t tcontext=staff_u:object_r:user_tmp_t tclass=dir and here are the logs for depmod as insmod_exec_t enforcing: Aug 6 19:55:29 lain kernel: [28667.796284] type=1400 audit(1344275729.400:189): avc: denied { search } for pid=13866 comm="depmod" name="tmp" dev="dm-0" ino=25427969 scontext=staff_u:sysadm_r:insmod_t tcontext=system_u:object_r:tmp_t tclass=dir Aug 6 19:55:29 lain kernel: [28667.802677] type=1400 audit(1344275729.408:190): avc: denied { search } for pid=13870 comm="depmod" name="linux-3.4.7-hardened" dev="dm-0" ino=18219341 scontext=staff_u:sysadm_r:insmod_t tcontext=system_u:object_r:src_t tclass=dir permissive: Aug 6 19:54:34 lain kernel: [28613.199317] type=1400 audit(1344275674.696:169): avc: denied { search } for pid=13571 comm="depmod" name="depmod.3uMENk" dev="dm-0" ino=25559828 scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:user_tmp_t tclass=dir Aug 6 19:54:34 lain kernel: [28613.199342] type=1400 audit(1344275674.696:170): avc: denied { read } for pid=13571 comm="depmod" name="3.4.7-hardened" dev="dm-0" ino=25559832 scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:user_tmp_t tclass=dir Aug 6 19:54:34 lain kernel: [28613.199363] type=1400 audit(1344275674.696:171): avc: denied { open } for pid=13571 comm="depmod" name="3.4.7-hardened" dev="dm-0" ino=25559832 scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:user_tmp_t tclass=dir Aug 6 19:54:34 lain kernel: [28613.199518] type=1400 audit(1344275674.696:172): avc: denied { write } for pid=13571 comm="depmod" name="3.4.7-hardened" dev="dm-0" ino=25559832 scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:user_tmp_t tclass=dir Aug 6 19:54:34 lain kernel: [28613.199538] type=1400 audit(1344275674.696:173): avc: denied { add_name } for pid=13571 comm="depmod" name="modules.dep.tmp" scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:user_tmp_t tclass=dir Aug 6 19:54:34 lain kernel: [28613.199576] type=1400 audit(1344275674.696:174): avc: denied { create } for pid=13571 comm="depmod" name="modules.dep.tmp" scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:user_tmp_t tclass=file Aug 6 19:54:34 lain kernel: [28613.199628] type=1400 audit(1344275674.696:175): avc: denied { write open } for pid=13571 comm="depmod" name="modules.dep.tmp" dev="dm-0" ino=25559833 scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:user_tmp_t tclass=file Aug 6 19:54:34 lain kernel: [28613.199660] type=1400 audit(1344275674.696:176): avc: denied { getattr } for pid=13571 comm="depmod" path="/tmp/depmod.3uMENk/lib/modules/3.4.7-hardened/modules.dep.tmp" dev="dm-0" ino=25559833 scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:user_tmp_t tclass=file Aug 6 19:54:34 lain kernel: [28613.199725] type=1400 audit(1344275674.696:177): avc: denied { remove_name } for pid=13571 comm="depmod" name="modules.dep.tmp" dev="dm-0" ino=25559833 scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:user_tmp_t tclass=dir Aug 6 19:54:34 lain kernel: [28613.199745] type=1400 audit(1344275674.696:178): avc: denied { rename } for pid=13571 comm="depmod" name="modules.dep.tmp" dev="dm-0" ino=25559833 scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:user_tmp_t tclass=file
Will be in rev3
So it's not about needing insmod_exec_t, my fault.
As per IRC talk, everything except for depmod command works fine with kmod being insmod_exec_t Enforcing: # make modules_install ... INSTALL sound/pci/hda/snd-hda-codec.ko INSTALL sound/pci/hda/snd-hda-intel.ko INSTALL sound/soundcore.ko DEPMOD 3.5.5-hardened FATAL: could not load System.map: Permission denied make: *** [_modinst_post] Error 1 Oct 9 19:29:45 localhost kernel: [20249.101055] type=1400 audit(1349803785.845:168): avc: denied { search } for pid=10710 comm="depmod" name="tmp" dev="dm-0" ino=262145 scontext=staff_u:sysadm_r:insmod_t tcontext=system_u:object_r:tmp_t tclass=dir Oct 9 19:29:45 localhost kernel: [20249.118921] type=1400 audit(1349803785.865:169): avc: denied { search } for pid=10714 comm="depmod" name="linux-3.5.5-hardened" dev="dm-0" ino=13896146 scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:src_t tclass=dir Permissive: Oct 9 19:31:05 localhost kernel: [20328.886166] type=1400 audit(1349803865.788:171): avc: denied { search } for pid=11100 comm="depmod" name="depmod.rEfxFw" dev="dm-0" ino=6444523 scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:user_tmp_t tclass=dir Oct 9 19:31:05 localhost kernel: [20328.886190] type=1400 audit(1349803865.788:172): avc: denied { read } for pid=11100 comm="depmod" name="3.5.5-hardened" dev="dm-0" ino=6444526 scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:user_tmp_t tclass=dir Oct 9 19:31:05 localhost kernel: [20328.886212] type=1400 audit(1349803865.788:173): avc: denied { open } for pid=11100 comm="depmod" path="/tmp/depmod.rEfxFw/lib/modules/3.5.5-hardened" dev="dm-0" ino=6444526 scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:user_tmp_t tclass=dir Oct 9 19:31:05 localhost kernel: [20328.886393] type=1400 audit(1349803865.788:174): avc: denied { write } for pid=11100 comm="depmod" name="3.5.5-hardened" dev="dm-0" ino=6444526 scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:user_tmp_t tclass=dir Oct 9 19:31:05 localhost kernel: [20328.886409] type=1400 audit(1349803865.788:175): avc: denied { add_name } for pid=11100 comm="depmod" name="modules.dep.tmp" scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:user_tmp_t tclass=dir Oct 9 19:31:05 localhost kernel: [20328.886457] type=1400 audit(1349803865.788:176): avc: denied { create } for pid=11100 comm="depmod" name="modules.dep.tmp" scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:user_tmp_t tclass=file Oct 9 19:31:05 localhost kernel: [20328.886510] type=1400 audit(1349803865.788:177): avc: denied { write open } for pid=11100 comm="depmod" path="/tmp/depmod.rEfxFw/lib/modules/3.5.5-hardened/modules.dep.tmp" dev="dm-0" ino=6444527 scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:user_tmp_t tclass=file Oct 9 19:31:05 localhost kernel: [20328.886544] type=1400 audit(1349803865.788:178): avc: denied { getattr } for pid=11100 comm="depmod" path="/tmp/depmod.rEfxFw/lib/modules/3.5.5-hardened/modules.dep.tmp" dev="dm-0" ino=6444527 scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:user_tmp_t tclass=file Oct 9 19:31:05 localhost kernel: [20328.886613] type=1400 audit(1349803865.788:179): avc: denied { remove_name } for pid=11100 comm="depmod" name="modules.dep.tmp" dev="dm-0" ino=6444527 scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:user_tmp_t tclass=dir
Created attachment 329134 [details] test3.te Can you try out this test module? It introduces a type for temporary files created in the insmod_t domain and allows the insmod_t domain manage rights on it. It also adds in read permissions on the /usr/src location (files_read_usr_src_files).
# semodule -i /root/test3.pp # make modules_install INSTALL drivers/bluetooth/ath3k.ko INSTALL drivers/bluetooth/btusb.ko INSTALL drivers/net/wireless/ath/ath9k/ath9k.ko INSTALL drivers/net/wireless/ath/ath9k/ath9k_common.ko INSTALL drivers/net/wireless/ath/ath9k/ath9k_hw.ko INSTALL net/bluetooth/bluetooth.ko INSTALL net/bluetooth/rfcomm/rfcomm.ko INSTALL net/mac80211/mac80211.ko DEPMOD 3.6.6-hardened depmod: ERROR: openat(/lib/modules/99.98.3.6.6-hardened, modules.dep.tmp, 1101, 644): Permission denied depmod: ERROR: openat(/lib/modules/99.98.3.6.6-hardened, modules.dep.bin.tmp, 1101, 644): Permission denied depmod: ERROR: openat(/lib/modules/99.98.3.6.6-hardened, modules.alias.tmp, 1101, 644): Permission denied depmod: ERROR: openat(/lib/modules/99.98.3.6.6-hardened, modules.alias.bin.tmp, 1101, 644): Permission denied depmod: ERROR: openat(/lib/modules/99.98.3.6.6-hardened, modules.softdep.tmp, 1101, 644): Permission denied depmod: ERROR: openat(/lib/modules/99.98.3.6.6-hardened, modules.symbols.tmp, 1101, 644): Permission denied depmod: ERROR: openat(/lib/modules/99.98.3.6.6-hardened, modules.symbols.bin.tmp, 1101, 644): Permission denied depmod: ERROR: openat(/lib/modules/99.98.3.6.6-hardened, modules.builtin.bin.tmp, 1101, 644): Permission denied depmod: ERROR: openat(/lib/modules/99.98.3.6.6-hardened, modules.devname.tmp, 1101, 644): Permission denied In permissive: Nov 11 13:07:21 lain kernel: [ 2149.844168] type=1400 audit(1352635641.800:469): avc: denied { read } for pid=23274 comm="depmod" name="3.6.6-hardened" dev="dm-0" ino=6422641 scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:user_tmp_t tclass=dir Nov 11 13:07:21 lain kernel: [ 2149.844197] type=1400 audit(1352635641.800:470): avc: denied { open } for pid=23274 comm="depmod" path="/tmp/depmod.UEGmQH/lib/modules/3.6.6-hardened" dev="dm-0" ino=6422641 scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:user_tmp_t tclass=dir Nov 11 13:07:21 lain kernel: [ 2149.844512] type=1400 audit(1352635641.800:471): avc: denied { write } for pid=23274 comm="depmod" name="3.6.6-hardened" dev="dm-0" ino=6422641 scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:user_tmp_t tclass=dir Nov 11 13:07:21 lain kernel: [ 2149.844538] type=1400 audit(1352635641.800:472): avc: denied { add_name } for pid=23274 comm="depmod" name="modules.dep.tmp" scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:user_tmp_t tclass=dir Nov 11 13:07:21 lain kernel: [ 2149.844598] type=1400 audit(1352635641.800:473): avc: denied { create } for pid=23274 comm="depmod" name="modules.dep.tmp" scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:user_tmp_t tclass=file Nov 11 13:07:21 lain kernel: [ 2149.844663] type=1400 audit(1352635641.800:474): avc: denied { write open } for pid=23274 comm="depmod" path="/tmp/depmod.UEGmQH/lib/modules/3.6.6-hardened/modules.dep.tmp" dev="dm-0" ino=6422642 scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:user_tmp_t tclass=file Nov 11 13:07:21 lain kernel: [ 2149.844709] type=1400 audit(1352635641.800:475): avc: denied { getattr } for pid=23274 comm="depmod" path="/tmp/depmod.UEGmQH/lib/modules/3.6.6-hardened/modules.dep.tmp" dev="dm-0" ino=6422642 scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:user_tmp_t tclass=file Nov 11 13:07:21 lain kernel: [ 2149.844828] type=1400 audit(1352635641.800:476): avc: denied { remove_name } for pid=23274 comm="depmod" name="modules.dep.tmp" dev="dm-0" ino=6422642 scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:user_tmp_t tclass=dir Nov 11 13:07:21 lain kernel: [ 2149.844853] type=1400 audit(1352635641.800:477): avc: denied { rename } for pid=23274 comm="depmod" name="modules.dep.tmp" dev="dm-0" ino=6422642 scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:user_tmp_t tclass=file In enforcing: Nov 11 13:08:08 lain kernel: [ 2196.632809] type=1400 audit(1352635688.681:511): avc: denied { search } for pid=24023 comm="depmod" name="depmod.2iNvXf" dev="dm-0" ino=6422637 scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:user_tmp_t tclass=dir Nov 11 13:08:08 lain kernel: [ 2196.662084] type=1400 audit(1352635688.710:512): avc: denied { write } for pid=24026 comm="depmod" name="3.6.6-hardened" dev="dm-0" ino=18352360 scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:modules_object_t tclass=dir Nov 11 13:08:08 lain kernel: [ 2196.662151] type=1400 audit(1352635688.710:513): avc: denied { write } for pid=24026 comm="depmod" name="3.6.6-hardened" dev="dm-0" ino=18352360 scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:modules_object_t tclass=dir Nov 11 13:08:08 lain kernel: [ 2196.662179] type=1400 audit(1352635688.710:514): avc: denied { write } for pid=24026 comm="depmod" name="3.6.6-hardened" dev="dm-0" ino=18352360 scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:modules_object_t tclass=dir Nov 11 13:08:08 lain kernel: [ 2196.662207] type=1400 audit(1352635688.710:515): avc: denied { write } for pid=24026 comm="depmod" name="3.6.6-hardened" dev="dm-0" ino=18352360 scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:modules_object_t tclass=dir Nov 11 13:08:08 lain kernel: [ 2196.662232] type=1400 audit(1352635688.710:516): avc: denied { write } for pid=24026 comm="depmod" name="3.6.6-hardened" dev="dm-0" ino=18352360 scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:modules_object_t tclass=dir Nov 11 13:08:08 lain kernel: [ 2196.662272] type=1400 audit(1352635688.710:517): avc: denied { write } for pid=24026 comm="depmod" name="3.6.6-hardened" dev="dm-0" ino=18352360 scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:modules_object_t tclass=dir Nov 11 13:08:08 lain kernel: [ 2196.662297] type=1400 audit(1352635688.710:518): avc: denied { write } for pid=24026 comm="depmod" name="3.6.6-hardened" dev="dm-0" ino=18352360 scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:modules_object_t tclass=dir Nov 11 13:08:08 lain kernel: [ 2196.662326] type=1400 audit(1352635688.710:519): avc: denied { write } for pid=24026 comm="depmod" name="3.6.6-hardened" dev="dm-0" ino=18352360 scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:modules_object_t tclass=dir
Ok, can you do two things please? First, add in a "files_manage_kernel_modules(insmod_t)" and retry. Second, try to find out what the following denial is for: """ Nov 11 13:08:08 lain kernel: [ 2196.632809] type=1400 audit(1352635688.681:511): avc: denied { search } for pid=24023 comm="depmod" name="depmod.2iNvXf" dev="dm-0" ino=6422637 scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:user_tmp_t tclass=dir """ The directory probably doesn't exist anymore, but I am disappointed that it is still user_tmp_t and am wondering how it gets created.
Seems like depmod is called twice with following options: -b /tmp/depmod.gX5TPE 3.6.6-hardened -ae -F System.map 99.98.3.6.6-hardened Also look at scripts/depmod.sh in linux source dir, it calls mktemp which seems to generate random numbers With files_manage_kernel_modules(insmod_t) ... DEPMOD 3.6.6-hardened depmod: FATAL: renameat(/lib/modules/99.98.3.6.6-hardened, modules.dep.tmp, /lib/modules/99.98.3.6.6-hardened, modules.dep): Permission denied make: *** [_modinst_post] Error 1 Enforcing: Nov 12 21:51:51 lain kernel: [12655.058949] type=1400 audit(1352753511.406:84): avc: denied { search } for pid=13583 comm="depmod" name="depmod.4BHJIK" dev="dm-0" ino=6304615 scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:user_tmp_t tclass=dir Nov 12 21:51:51 lain kernel: [12655.082498] type=1400 audit(1352753511.430:85): avc: denied { unlink } for pid=13587 comm="depmod" name="modules.dep" dev="dm-0" ino=18352395 scontext=staff_u:sysadm_r:insmod_t tcontext=system_u:object_r:modules_dep_t tclass=file Nov 12 21:51:51 lain kernel: [12655.082517] type=1400 audit(1352753511.430:86): avc: denied { unlink } for pid=13587 comm="depmod" name="modules.dep" dev="dm-0" ino=18352395 scontext=staff_u:sysadm_r:insmod_t tcontext=system_u:object_r:modules_dep_t tclass=file Permissive: Nov 12 21:53:25 lain kernel: [12748.927893] type=1400 audit(1352753605.461:88): avc: denied { read } for pid=16291 comm="depmod" name="3.6.6-hardened" dev="dm-0" ino=6304618 scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:user_tmp_t tclass=dir Nov 12 21:53:25 lain kernel: [12748.927918] type=1400 audit(1352753605.461:89): avc: denied { open } for pid=16291 comm="depmod" path="/tmp/depmod.zE1YLJ/lib/modules/3.6.6-hardened" dev="dm-0" ino=6304618 scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:user_tmp_t tclass=dir Nov 12 21:53:25 lain kernel: [12748.928210] type=1400 audit(1352753605.462:90): avc: denied { write } for pid=16291 comm="depmod" name="3.6.6-hardened" dev="dm-0" ino=6304618 scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:user_tmp_t tclass=dir Nov 12 21:53:25 lain kernel: [12748.928228] type=1400 audit(1352753605.462:91): avc: denied { add_name } for pid=16291 comm="depmod" name="modules.dep.tmp" scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:user_tmp_t tclass=dir Nov 12 21:53:25 lain kernel: [12748.928282] type=1400 audit(1352753605.462:92): avc: denied { create } for pid=16291 comm="depmod" name="modules.dep.tmp" scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:user_tmp_t tclass=file Nov 12 21:53:25 lain kernel: [12748.928341] type=1400 audit(1352753605.462:93): avc: denied { write open } for pid=16291 comm="depmod" path="/tmp/depmod.zE1YLJ/lib/modules/3.6.6-hardened/modules.dep.tmp" dev="dm-0" ino=6304619 scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:user_tmp_t tclass=file Nov 12 21:53:25 lain kernel: [12748.928375] type=1400 audit(1352753605.462:94): avc: denied { getattr } for pid=16291 comm="depmod" path="/tmp/depmod.zE1YLJ/lib/modules/3.6.6-hardened/modules.dep.tmp" dev="dm-0" ino=6304619 scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:user_tmp_t tclass=file Nov 12 21:53:25 lain kernel: [12748.928468] type=1400 audit(1352753605.462:95): avc: denied { remove_name } for pid=16291 comm="depmod" name="modules.dep.tmp" dev="dm-0" ino=6304619 scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:user_tmp_t tclass=dir Nov 12 21:53:25 lain kernel: [12748.928490] type=1400 audit(1352753605.462:96): avc: denied { rename } for pid=16291 comm="depmod" name="modules.dep.tmp" dev="dm-0" ino=6304619 scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:user_tmp_t tclass=file
Ok got it to work with the following additions: read_files_pattern(insmod_t, src_t, src_t) userdom_manage_user_tmp_files(insmod_t) userdom_manage_user_tmp_dirs(insmod_t) files_manage_kernel_modules(insmod_t) I don't have anything regarding modules_dep_t in my cases here though. If you do still need rights, care to see if the unlink rights are the only ones (probably not)? allow insmod_t modules_dep_t:file delete_file_perms;
Works ok as long, as /lib/modules exists and has correct label if it doesn't it is created with incorrect label (lib_t) so depmod fails
Ok, added in the file transition to create /lib/modules with modules_object_t type.
doesn't seem to work # make modules_install INSTALL sound/core/oss/snd-mixer-oss.ko INSTALL sound/core/oss/snd-pcm-oss.ko INSTALL sound/core/seq/oss/snd-seq-oss.ko INSTALL sound/core/seq/snd-seq-device.ko INSTALL sound/core/seq/snd-seq-midi-event.ko INSTALL sound/core/seq/snd-seq.ko INSTALL sound/core/snd-hrtimer.ko INSTALL sound/core/snd-hwdep.ko INSTALL sound/core/snd-page-alloc.ko INSTALL sound/core/snd-pcm.ko INSTALL sound/core/snd-timer.ko INSTALL sound/core/snd.ko INSTALL sound/pci/hda/snd-hda-codec-analog.ko INSTALL sound/pci/hda/snd-hda-codec-ca0110.ko INSTALL sound/pci/hda/snd-hda-codec-ca0132.ko INSTALL sound/pci/hda/snd-hda-codec-cirrus.ko INSTALL sound/pci/hda/snd-hda-codec-cmedia.ko INSTALL sound/pci/hda/snd-hda-codec-conexant.ko INSTALL sound/pci/hda/snd-hda-codec-hdmi.ko INSTALL sound/pci/hda/snd-hda-codec-idt.ko INSTALL sound/pci/hda/snd-hda-codec-realtek.ko INSTALL sound/pci/hda/snd-hda-codec-si3054.ko INSTALL sound/pci/hda/snd-hda-codec-via.ko INSTALL sound/pci/hda/snd-hda-codec.ko INSTALL sound/pci/hda/snd-hda-intel.ko INSTALL sound/soundcore.ko DEPMOD 3.10.9-hardened depmod: ERROR: openat(/lib/modules/3.10.9-hardened, modules.dep.tmp, 1101, 644): Permission denied depmod: ERROR: openat(/lib/modules/3.10.9-hardened, modules.dep.bin.tmp, 1101, 644): Permission denied depmod: ERROR: openat(/lib/modules/3.10.9-hardened, modules.alias.tmp, 1101, 644): Permission denied depmod: ERROR: openat(/lib/modules/3.10.9-hardened, modules.alias.bin.tmp, 1101, 644): Permission denied depmod: ERROR: openat(/lib/modules/3.10.9-hardened, modules.softdep.tmp, 1101, 644): Permission denied depmod: ERROR: openat(/lib/modules/3.10.9-hardened, modules.symbols.tmp, 1101, 644): Permission denied depmod: ERROR: openat(/lib/modules/3.10.9-hardened, modules.symbols.bin.tmp, 1101, 644): Permission denied depmod: ERROR: openat(/lib/modules/3.10.9-hardened, modules.builtin.bin.tmp, 1101, 644): Permission denied depmod: ERROR: openat(/lib/modules/3.10.9-hardened, modules.devname.tmp, 1101, 644): Permission denied # tailf /var/log/avc.log Aug 23 18:46:42 ananke kernel: [24409.696001] type=1400 audit(1377276402.674:854): avc: denied { relabelfrom } for pid=29915 comm="cp" name="admin" dev="dm-0" ino=7210198 scontext=staff_u:sysadm_r:portage_sandbox_t tcontext=staff_u:object_r:portage_tmp_t tclass=dir Aug 23 18:57:52 ananke kernel: [25079.472239] type=1400 audit(1377277072.299:901): avc: denied { create } for pid=28172 comm="depmod" name="modules.dep.tmp" scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:lib_t tclass=file Aug 23 18:57:52 ananke kernel: [25079.472398] type=1400 audit(1377277072.299:902): avc: denied { create } for pid=28172 comm="depmod" name="modules.dep.bin.tmp" scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:lib_t tclass=file Aug 23 18:57:52 ananke kernel: [25079.472495] type=1400 audit(1377277072.299:903): avc: denied { create } for pid=28172 comm="depmod" name="modules.alias.tmp" scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:lib_t tclass=file Aug 23 18:57:52 ananke kernel: [25079.472599] type=1400 audit(1377277072.299:904): avc: denied { create } for pid=28172 comm="depmod" name="modules.alias.bin.tmp" scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:lib_t tclass=file Aug 23 18:57:52 ananke kernel: [25079.472694] type=1400 audit(1377277072.299:905): avc: denied { create } for pid=28172 comm="depmod" name="modules.softdep.tmp" scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:lib_t tclass=file Aug 23 18:57:52 ananke kernel: [25079.472814] type=1400 audit(1377277072.299:906): avc: denied { create } for pid=28172 comm="depmod" name="modules.symbols.tmp" scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:lib_t tclass=file Aug 23 18:57:52 ananke kernel: [25079.472914] type=1400 audit(1377277072.300:907): avc: denied { create } for pid=28172 comm="depmod" name="modules.symbols.bin.tmp" scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:lib_t tclass=file Aug 23 18:57:52 ananke kernel: [25079.473008] type=1400 audit(1377277072.300:908): avc: denied { create } for pid=28172 comm="depmod" name="modules.builtin.bin.tmp" scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:lib_t tclass=file Aug 23 18:57:52 ananke kernel: [25079.473130] type=1400 audit(1377277072.300:909): avc: denied { create } for pid=28172 comm="depmod" name="modules.devname.tmp" scontext=staff_u:sysadm_r:insmod_t tcontext=staff_u:object_r:lib_t tclass=file
Ok I removed the file transition again. Seems like it is the user domain (the domain that is calling "make modules_install") that is creating the directory. I'm not going to add in a file transition for "modules" directory in a lib_t towards modules_object_t because I can imagine that there are other "modules" directories that would need to remain labeled as lib_t for now. So, if we hit this, the currently best course of action is to run "restorecon -R /lib/modules" and we're all set (also for future).
r3 is now in the tree, ~arch'ed
r4 is now stable in the tree