Summary: | sys-fs/udev-186 doesn't autoload modules on boot | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Amadeusz Sławiński <amade> |
Component: | SELinux | Assignee: | Sven Vermeulen (RETIRED) <swift> |
Status: | VERIFIED FIXED | ||
Severity: | normal | CC: | selinux |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | sec-policy r3 | ||
Package list: | Runtime testing required: | --- |
Description
Amadeusz Sławiński
2012-07-22 17:39:34 UTC
With stable udev (171-r6) it also doesn't load modules in enforcing, note that it is on ~arch, In enforcing: Jul 22 20:53:12 lain kernel: [ 12.563668] type=1400 audit(1342983184.316:4): avc: denied { write } for pid=1341 comm="write_root_link" name="rules.d" dev="tmpfs" ino=1076 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:udev_tbl_t tclass=dir Jul 22 20:53:12 lain kernel: [ 12.564109] type=1400 audit(1342983184.316:5): avc: denied { write } for pid=1341 comm="write_root_link" name="rules.d" dev="tmpfs" ino=1076 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:udev_tbl_t tclass=dir Jul 22 20:53:12 lain kernel: [ 12.564349] type=1400 audit(1342983184.316:6): avc: denied { write } for pid=1341 comm="write_root_link" name="rules.d" dev="tmpfs" ino=1076 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:udev_tbl_t tclass=dir Jul 22 20:53:12 lain kernel: [ 13.540343] type=1400 audit(1342983185.296:8): avc: denied { getattr } for pid=1389 comm="modprobe" path="/etc/modprobe.d" dev="dm-0" ino=10092675 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:modules_conf_t tclass=dir Jul 22 20:53:12 lain kernel: [ 13.540772] type=1400 audit(1342983185.296:9): avc: denied { getattr } for pid=1410 comm="modprobe" path="/etc/modprobe.d" dev="dm-0" ino=10092675 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:modules_conf_t tclass=dir Jul 22 20:53:12 lain kernel: [ 13.541164] type=1400 audit(1342983185.296:10): avc: denied { getattr } for pid=1387 comm="modprobe" path="/etc/modprobe.d" dev="dm-0" ino=10092675 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:modules_conf_t tclass=dir nothing of interest in permissive It might be necessary to find out what systemd-udevd is doing (code-wise), but can you try adding the following policy statements? """ modutils_read_module_config(udev_t) files_read_kernel_modules(udev_t) """ Tested all combinations seems like files_read_kernel_modules(udev_t) allows it to go further: Jul 22 22:09:54 lain kernel: [ 12.879800] type=1400 audit(1342987786.636:4): avc: denied { read } for pid=1344 comm="systemd-udevd" name="modprobe.d" dev="dm-0" ino=10092675 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:modules_conf_t tclass=dir Jul 22 22:09:54 lain kernel: [ 13.352358] type=1400 audit(1342987787.110:5): avc: denied { sys_module } for pid=1365 comm="systemd-udevd" capability=16 scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t tclass=capability Jul 22 22:09:54 lain kernel: [ 13.362071] type=1400 audit(1342987787.120:6): avc: denied { sys_module } for pid=1362 comm="systemd-udevd" capability=16 scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t tclass=capability Jul 22 22:09:54 lain kernel: [ 13.373454] type=1400 audit(1342987787.130:8): avc: denied { sys_module } for pid=1355 comm="systemd-udevd" capability=16 scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t tclass=capability Jul 22 22:09:54 lain kernel: [ 13.385080] type=1400 audit(1342987787.143:9): avc: denied { sys_module } for pid=1363 comm="systemd-udevd" capability=16 scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t tclass=capability So I decided to look a bit at what Fedora is doing Commits from Fedora refpolicy which seem revelant to modules and logs which I got: http://git.fedorahosted.org/git/?p=selinux-policy.git;a=history;f=policy/modules/system/udev.te;h=5cd1cf11dcb76712b1937833d237181c8f270375;hb=HEAD http://git.fedorahosted.org/git/?p=selinux-policy.git;a=blobdiff;f=policy/modules/system/udev.te;h=b79d72f68add18d2070dd4ab99f9aace5282f13f;hp=5ff6bebba6b842f87b74219601eb4515bdf5b1e1;hb=8f84b89be79cf45091b37a1d8b31b09aa5158a7b;hpb=b39a38b13871c76f024aaad0a4c0af80e8eba6f8 http://git.fedorahosted.org/git/?p=selinux-policy.git;a=blobdiff;f=policy/modules/system/udev.te;h=b602d7ff938d6b32ddad90540a963d435890655a;hp=7983cfa96ed8eca34b1c9a0e67a8570873025794;hb=872a47655eaa4f1cc38ce81db7644469654f7b39;hpb=6494791b6e57a6e902dd1e3551e5bbb08ddb875d So after applying all of them modules seem to load fine, the only stuff left in logs seems to be cosmetic: Jul 23 13:00:50 lain kernel: [ 13.764850] type=1400 audit(1343041196.523:4): avc: denied { getattr } for pid=1385 comm="modprobe" path="/etc/modprobe.d" dev="dm-0" ino=10092675 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:modules_conf_t tclass=dir Jul 23 13:00:50 lain kernel: [ 13.764898] type=1400 audit(1343041196.523:5): avc: denied { search } for pid=1385 comm="modprobe" name="/" dev="tmpfs" ino=1314 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:var_run_t tclass=dir Jul 23 13:00:50 lain kernel: [ 13.765064] type=1400 audit(1343041196.523:6): avc: denied { search } for pid=1385 comm="modprobe" name="modules" dev="dm-0" ino=15335575 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:modules_object_t tclass=dir Jul 23 13:00:50 lain kernel: [ 13.765108] type=1400 audit(1343041196.523:7): avc: denied { search } for pid=1385 comm="modprobe" name="modules" dev="dm-0" ino=15335575 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:modules_object_t tclass=dir ...and more similar without (second link) modutils_list_module_config(udev_t) modutils_read_module_conf(udev_t) there is also this: Jul 23 13:06:54 lain kernel: [ 13.545507] type=1400 audit(1343041606.303:4): avc: denied { getattr } for pid=1341 comm="systemd-udevd" path="/etc/modprobe.d" dev="dm-0" ino=10092675 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:modules_conf_t tclass=dir but modules still load, so I'm not sure if it is really needed Eh, after few reboots I noticed that it still doesn't load all of them in enforcing: Module Size Used by uvcvideo 72734 0 ath9k 92113 0 ath9k_common 2902 1 ath9k ath9k_hw 359849 2 ath9k_common,ath9k videobuf2_vmalloc 2495 1 uvcvideo snd_hda_intel 25753 1 videobuf2_memops 2618 1 videobuf2_vmalloc videobuf2_core 22369 1 uvcvideo snd_hda_codec 97190 1 snd_hda_intel videodev 111586 1 uvcvideo snd_pcm 86703 2 snd_hda_codec,snd_hda_intel snd_page_alloc 8363 2 snd_pcm,snd_hda_intel snd_timer 23633 1 snd_pcm iTCO_wdt 13738 0 snd_hwdep 7225 1 snd_hda_codec snd 67056 7 snd_hwdep,snd_timer,snd_pcm,snd_hda_codec,snd_hda_intel led_class 3307 1 ath9k soundcore 1108 1 snd in permissive: Module Size Used by snd_hda_codec_hdmi 24644 4 snd_hda_codec_conexant 49646 1 ath9k 92049 0 ath9k_common 2902 1 ath9k ath9k_hw 359768 2 ath9k_common,ath9k snd_hda_intel 25657 4 snd_hda_codec 97070 3 snd_hda_codec_hdmi,snd_hda_codec_conexant,snd_hda_intel uvcvideo 72508 0 snd_pcm 86623 4 snd_hda_codec_hdmi,snd_hda_codec,snd_hda_intel snd_page_alloc 8203 2 snd_pcm,snd_hda_intel snd_timer 23601 2 snd_pcm videobuf2_vmalloc 2527 1 uvcvideo videobuf2_memops 2650 1 videobuf2_vmalloc videobuf2_core 22509 1 uvcvideo snd_hwdep 7225 1 snd_hda_codec iTCO_wdt 13738 0 videodev 111794 1 uvcvideo led_class 3307 1 ath9k snd 67318 13 snd_hwdep,snd_timer,snd_hda_codec_hdmi,snd_hda_codec_conexant,snd_pcm,snd_hda_codec,snd_hda_intel soundcore 1108 1 snd As per our IRC session, this might have had something to do with the use of kmod instead of regular insmod/modprobe. Have you been able to get the context right there and get this fired up? So after tests (and setting insmod_exec_t label to kmod) seems like the following rules need to be added: kernel_load_module(udev_t) ^- needed for sys_module call files_read_kernel_modules(udev_t) modutils_read_module_config(udev_t) ^- needed for reading mmodule dependencies There is still the following in log but it doesn't seem to prevent modules from loading correctly in enforcing: Jul 27 15:16:19 lain kernel: [ 13.487494] type=1400 audit(1343394960.246:4): avc: denied { read } for pid=1374 comm="systemd-udevd" name="modprobe.d" dev="dm-0" ino=10092675 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:modules_conf_t tclass=dir Will be part of rev3 r3 is in hardened-dev overlay In main tree, ~arch'ed (rev 5) stabilized |