udev and secure_mode_insmod in selinux-policy-3.9.7-10.fc14 and later
Mark Montague
mark at catseye.org
Fri Jan 7 00:51:11 UTC 2011
Under selinux-policy-3.9.7-7.fc14 and previous, udev was able to load
kernel modules even when secure_mode_insmod=on Starting with the next
policy release, 3.9.7-10.fc14, this fails, resulting in the ethernet
device not being configured when the system boots; no denial is logged.
Setting secure_mode_insmod=off and rebooting results in a working
system, but allows other restricted domains to load kernel modules --
which is a shame since I also have unconfined_login=off and
secure_mode=on. So I added a local module with the following rule in
order to get the 3.9.7-7.fc14 behavior with secure_mode_insmod=on. (The
seemingly superfluous enclosing "if" is needed to avoid a duplicate rule
error).
if (secure_mode_insmod) {
modutils_domtrans_insmod_uncond(udev_t)
}
My question is: what is the desired behavior for future policy
releases? Should secure_mode_insmod=on affect udev as it currently does
under 3.9.7-10.fc14 and later? (A literal reading of the description
for this boolean implies it should). Or should a new boolean be added
(off by default) to allow administrators to have udev load kernel
modules even when secure_mode_insmod=on? Or something else?
Apologies if this is actually a non-issue due to lack of understanding
on my end (but any education would be welcome in that case!)
--
Mark Montague
mark at catseye.org
More information about the selinux
mailing list