Proposal: Add a depmod wrapper for kmod to aid SELinux

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello,


I've got a small proposal for kmod which would be helpful for SELinux
users. First of all, I'll give some background (if you're not
interested in that, you can skip the next two paragraphs):

As you may know, SELinux is is an optional kernel subsystem which gives
finer control over permissions than the standard Unix DAC
(Discretionary Access Controls - the normal read/write/execute bits).
Basically, it attaches labels ("contexts") to files and processes and
bases the decision whether to allow or not to allow a specific action
upon these contexts.

For multi-call binaries like kmod, this labeling is problematic: The
kmod tool "depmod" requires a different set of permissions than the
rest of the kmod tools, and should therefore get a different label.
However, all of the kmod tools are only symlinks to /bin/kmod - and due
to technical limitations, we can only attach labels to files, but not to
symlinks.

Thus, it would be useful if you could add wrapper binary to the kmod
distribution, basically just an
"execl("/bin/kmod", "/sbin/depmod", NULL);" call. This would behave
exactly the same as a symlink, but would allow SELinux policies to
label that binary differently. Of course, this doesn't have to be
done for every user; it could be optional on a ./configure option
"--enable-depmod-wrapper".

What do you think? Would you accept such a patch?


Regards,
Luis Ressel

Attachment: signature.asc
Description: PGP signature


[Index of Archives]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [Big List of Linux Books]

  Powered by Linux