udev doesn't autoload modules on boot or later when booted in enforcing Denials in enforcing, they do not appear with dontaudit enabled: Jul 22 19:29:05 lain kernel: [ 14.101508] type=1400 audit(1342978137.863:4): avc: denied { getattr } for pid=1472 comm="systemd-udevd" path="/etc/modprobe.d" dev="dm-0" ino=10092675 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:modules_conf_t tclass=dir Jul 22 19:29:05 lain kernel: [ 14.663429] type=1400 audit(1342978138.423:5): avc: denied { read } for pid=1489 comm="systemd-udevd" name="iTCO_wdt.ko" dev="dm-0" ino=15335759 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:modules_object_t tclass=file Jul 22 19:29:05 lain kernel: [ 14.664326] type=1400 audit(1342978138.426:6): avc: denied { getattr } for pid=1486 comm="systemd-udevd" path="/lib64/modules/3.4.5-hardened/kernel/sound/pci/hda/snd-hda-codec.ko" dev="dm-0" ino=15335793 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:modules_object_t tclass=file Jul 22 19:29:05 lain kernel: [ 14.664427] type=1400 audit(1342978138.426:7): avc: denied { read } for pid=1486 comm="systemd-udevd" name="snd-hda-intel.ko" dev="dm-0" ino=15335794 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:modules_object_t tclass=file Jul 22 19:29:05 lain kernel: [ 14.664670] type=1400 audit(1342978138.426:8): avc: denied { getattr } for pid=1485 comm="systemd-udevd" path="/lib64/modules/3.4.5-hardened/kernel/sound/pci/hda/snd-hda-codec.ko" dev="dm-0" ino=15335793 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:modules_object_t tclass=file Jul 22 19:29:05 lain kernel: [ 14.664790] type=1400 audit(1342978138.426:9): avc: denied { read } for pid=1485 comm="systemd-udevd" name="snd-hda-intel.ko" dev="dm-0" ino=15335794 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:modules_object_t tclass=file Jul 22 19:29:05 lain kernel: [ 14.664925] type=1400 audit(1342978138.426:10): avc: denied { getattr } for pid=1488 comm="systemd-udevd" path="/lib64/modules/3.4.5-hardened/kernel/drivers/net/wireless/ath/ath9k/ath9k_common.ko" dev="dm-0" ino=15335752 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:modules_object_t tclass=file Jul 22 19:29:05 lain kernel: [ 14.664996] type=1400 audit(1342978138.426:11): avc: denied { read } for pid=1488 comm="systemd-udevd" name="ath9k.ko" dev="dm-0" ino=15335751 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:modules_object_t tclass=file Jul 22 19:29:05 lain kernel: [ 14.666613] type=1400 audit(1342978138.426:12): avc: denied { getattr } for pid=1482 comm="systemd-udevd" path="/lib64/modules/3.4.5-hardened/kernel/drivers/media/video/videobuf2-vmalloc.ko" dev="dm-0" ino=15335745 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:modules_object_t tclass=file Jul 22 19:29:05 lain kernel: [ 14.666990] type=1400 audit(1342978138.426:13): avc: denied { read } for pid=1482 comm="systemd-udevd" name="uvcvideo.ko" dev="dm-0" ino=15335740 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:modules_object_t tclass=file Reproducible: Always Portage 2.1.11.9 (hardened/linux/amd64/selinux, gcc-4.6.3, glibc-2.15-r2, 3.4.5-hardened x86_64) ================================================================= System uname: Linux-3.4.5-hardened-x86_64-Intel-R-_Core-TM-_i3_CPU_M_350_@_2.27GHz-with-gentoo-2.1 Timestamp of tree: Sat, 21 Jul 2012 16:00:01 +0000 app-shells/bash: 4.2_p37 dev-lang/python: 2.7.3-r2, 3.2.3-r1 dev-util/cmake: 2.8.8-r3 dev-util/pkgconfig: 0.27 sys-apps/baselayout: 2.1-r1 sys-apps/openrc: 0.10.5 sys-apps/sandbox: 2.6 sys-devel/autoconf: 2.13, 2.69 sys-devel/automake: 1.11.6, 1.12.2 sys-devel/binutils: 2.22-r1 sys-devel/gcc: 4.6.3 sys-devel/gcc-config: 1.7.3 sys-devel/libtool: 2.4.2 sys-devel/make: 3.82-r3 sys-kernel/linux-headers: 3.4-r1 (virtual/os-headers) sys-libs/glibc: 2.15-r2 Repositories: gentoo hardened-dev my_local_overlay ACCEPT_KEYWORDS="amd64 ~amd64" ACCEPT_LICENSE="* -@EULA AdobeFlash-10.3 PUEL" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=native -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.4/ext-active/ /etc/php/cgi-php5.4/ext-active/ /etc/php/cli-php5.4/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-march=native -O2 -pipe" DISTDIR="/usr/portage/distfiles" FCFLAGS="-O2 -pipe" FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles news parallel-fetch parse-eapi-ebuild-head protect-owned sandbox selinux sesandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch" FFLAGS="-O2 -pipe" GENTOO_MIRRORS="http://distfiles.gentoo.org" LANG="en_US.utf8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" MAKEOPTS="-j5" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/var/lib/layman/hardened-development /usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="X acpi alsa amd64 apache2 bash-completion berkdb bluetooth bzip2 cli cracklib crypt cxx dbus dri dvd gdbm gif gpm hardened iconv ipv6 jpeg justify mmx modules mp3 mudflap multilib mysql mysqli ncurses nls nptl open_perms opengl openmp pam pax_kernel pcre png pppd readline selinux session sse sse2 sse4_1 sse4_2 ssl ssse3 tcpd tiff udev unicode urandom usb v4l vim-syntax xinerama xorg zlib zsh-completion" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" PHP_TARGETS="php5-3" PYTHON_TARGETS="python3_2 python2_7" RUBY_TARGETS="ruby18 ruby19" USERLAND="GNU" VIDEO_CARDS="nouveau" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, LINGUAS, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON
With stable udev (171-r6) it also doesn't load modules in enforcing, note that it is on ~arch, In enforcing: Jul 22 20:53:12 lain kernel: [ 12.563668] type=1400 audit(1342983184.316:4): avc: denied { write } for pid=1341 comm="write_root_link" name="rules.d" dev="tmpfs" ino=1076 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:udev_tbl_t tclass=dir Jul 22 20:53:12 lain kernel: [ 12.564109] type=1400 audit(1342983184.316:5): avc: denied { write } for pid=1341 comm="write_root_link" name="rules.d" dev="tmpfs" ino=1076 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:udev_tbl_t tclass=dir Jul 22 20:53:12 lain kernel: [ 12.564349] type=1400 audit(1342983184.316:6): avc: denied { write } for pid=1341 comm="write_root_link" name="rules.d" dev="tmpfs" ino=1076 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:udev_tbl_t tclass=dir Jul 22 20:53:12 lain kernel: [ 13.540343] type=1400 audit(1342983185.296:8): avc: denied { getattr } for pid=1389 comm="modprobe" path="/etc/modprobe.d" dev="dm-0" ino=10092675 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:modules_conf_t tclass=dir Jul 22 20:53:12 lain kernel: [ 13.540772] type=1400 audit(1342983185.296:9): avc: denied { getattr } for pid=1410 comm="modprobe" path="/etc/modprobe.d" dev="dm-0" ino=10092675 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:modules_conf_t tclass=dir Jul 22 20:53:12 lain kernel: [ 13.541164] type=1400 audit(1342983185.296:10): avc: denied { getattr } for pid=1387 comm="modprobe" path="/etc/modprobe.d" dev="dm-0" ino=10092675 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:modules_conf_t tclass=dir nothing of interest in permissive
It might be necessary to find out what systemd-udevd is doing (code-wise), but can you try adding the following policy statements? """ modutils_read_module_config(udev_t) files_read_kernel_modules(udev_t) """
Tested all combinations seems like files_read_kernel_modules(udev_t) allows it to go further: Jul 22 22:09:54 lain kernel: [ 12.879800] type=1400 audit(1342987786.636:4): avc: denied { read } for pid=1344 comm="systemd-udevd" name="modprobe.d" dev="dm-0" ino=10092675 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:modules_conf_t tclass=dir Jul 22 22:09:54 lain kernel: [ 13.352358] type=1400 audit(1342987787.110:5): avc: denied { sys_module } for pid=1365 comm="systemd-udevd" capability=16 scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t tclass=capability Jul 22 22:09:54 lain kernel: [ 13.362071] type=1400 audit(1342987787.120:6): avc: denied { sys_module } for pid=1362 comm="systemd-udevd" capability=16 scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t tclass=capability Jul 22 22:09:54 lain kernel: [ 13.373454] type=1400 audit(1342987787.130:8): avc: denied { sys_module } for pid=1355 comm="systemd-udevd" capability=16 scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t tclass=capability Jul 22 22:09:54 lain kernel: [ 13.385080] type=1400 audit(1342987787.143:9): avc: denied { sys_module } for pid=1363 comm="systemd-udevd" capability=16 scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t tclass=capability
So I decided to look a bit at what Fedora is doing Commits from Fedora refpolicy which seem revelant to modules and logs which I got: http://git.fedorahosted.org/git/?p=selinux-policy.git;a=history;f=policy/modules/system/udev.te;h=5cd1cf11dcb76712b1937833d237181c8f270375;hb=HEAD http://git.fedorahosted.org/git/?p=selinux-policy.git;a=blobdiff;f=policy/modules/system/udev.te;h=b79d72f68add18d2070dd4ab99f9aace5282f13f;hp=5ff6bebba6b842f87b74219601eb4515bdf5b1e1;hb=8f84b89be79cf45091b37a1d8b31b09aa5158a7b;hpb=b39a38b13871c76f024aaad0a4c0af80e8eba6f8 http://git.fedorahosted.org/git/?p=selinux-policy.git;a=blobdiff;f=policy/modules/system/udev.te;h=b602d7ff938d6b32ddad90540a963d435890655a;hp=7983cfa96ed8eca34b1c9a0e67a8570873025794;hb=872a47655eaa4f1cc38ce81db7644469654f7b39;hpb=6494791b6e57a6e902dd1e3551e5bbb08ddb875d So after applying all of them modules seem to load fine, the only stuff left in logs seems to be cosmetic: Jul 23 13:00:50 lain kernel: [ 13.764850] type=1400 audit(1343041196.523:4): avc: denied { getattr } for pid=1385 comm="modprobe" path="/etc/modprobe.d" dev="dm-0" ino=10092675 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:modules_conf_t tclass=dir Jul 23 13:00:50 lain kernel: [ 13.764898] type=1400 audit(1343041196.523:5): avc: denied { search } for pid=1385 comm="modprobe" name="/" dev="tmpfs" ino=1314 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:var_run_t tclass=dir Jul 23 13:00:50 lain kernel: [ 13.765064] type=1400 audit(1343041196.523:6): avc: denied { search } for pid=1385 comm="modprobe" name="modules" dev="dm-0" ino=15335575 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:modules_object_t tclass=dir Jul 23 13:00:50 lain kernel: [ 13.765108] type=1400 audit(1343041196.523:7): avc: denied { search } for pid=1385 comm="modprobe" name="modules" dev="dm-0" ino=15335575 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:modules_object_t tclass=dir ...and more similar without (second link) modutils_list_module_config(udev_t) modutils_read_module_conf(udev_t) there is also this: Jul 23 13:06:54 lain kernel: [ 13.545507] type=1400 audit(1343041606.303:4): avc: denied { getattr } for pid=1341 comm="systemd-udevd" path="/etc/modprobe.d" dev="dm-0" ino=10092675 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:modules_conf_t tclass=dir but modules still load, so I'm not sure if it is really needed
Eh, after few reboots I noticed that it still doesn't load all of them in enforcing: Module Size Used by uvcvideo 72734 0 ath9k 92113 0 ath9k_common 2902 1 ath9k ath9k_hw 359849 2 ath9k_common,ath9k videobuf2_vmalloc 2495 1 uvcvideo snd_hda_intel 25753 1 videobuf2_memops 2618 1 videobuf2_vmalloc videobuf2_core 22369 1 uvcvideo snd_hda_codec 97190 1 snd_hda_intel videodev 111586 1 uvcvideo snd_pcm 86703 2 snd_hda_codec,snd_hda_intel snd_page_alloc 8363 2 snd_pcm,snd_hda_intel snd_timer 23633 1 snd_pcm iTCO_wdt 13738 0 snd_hwdep 7225 1 snd_hda_codec snd 67056 7 snd_hwdep,snd_timer,snd_pcm,snd_hda_codec,snd_hda_intel led_class 3307 1 ath9k soundcore 1108 1 snd in permissive: Module Size Used by snd_hda_codec_hdmi 24644 4 snd_hda_codec_conexant 49646 1 ath9k 92049 0 ath9k_common 2902 1 ath9k ath9k_hw 359768 2 ath9k_common,ath9k snd_hda_intel 25657 4 snd_hda_codec 97070 3 snd_hda_codec_hdmi,snd_hda_codec_conexant,snd_hda_intel uvcvideo 72508 0 snd_pcm 86623 4 snd_hda_codec_hdmi,snd_hda_codec,snd_hda_intel snd_page_alloc 8203 2 snd_pcm,snd_hda_intel snd_timer 23601 2 snd_pcm videobuf2_vmalloc 2527 1 uvcvideo videobuf2_memops 2650 1 videobuf2_vmalloc videobuf2_core 22509 1 uvcvideo snd_hwdep 7225 1 snd_hda_codec iTCO_wdt 13738 0 videodev 111794 1 uvcvideo led_class 3307 1 ath9k snd 67318 13 snd_hwdep,snd_timer,snd_hda_codec_hdmi,snd_hda_codec_conexant,snd_pcm,snd_hda_codec,snd_hda_intel soundcore 1108 1 snd
As per our IRC session, this might have had something to do with the use of kmod instead of regular insmod/modprobe. Have you been able to get the context right there and get this fired up?
So after tests (and setting insmod_exec_t label to kmod) seems like the following rules need to be added: kernel_load_module(udev_t) ^- needed for sys_module call files_read_kernel_modules(udev_t) modutils_read_module_config(udev_t) ^- needed for reading mmodule dependencies There is still the following in log but it doesn't seem to prevent modules from loading correctly in enforcing: Jul 27 15:16:19 lain kernel: [ 13.487494] type=1400 audit(1343394960.246:4): avc: denied { read } for pid=1374 comm="systemd-udevd" name="modprobe.d" dev="dm-0" ino=10092675 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:modules_conf_t tclass=dir
Will be part of rev3
r3 is in hardened-dev overlay
In main tree, ~arch'ed (rev 5)
stabilized
