On Mon, 17 Feb 2014 08:47:05 -0500 Josh Boyer <jwboyer@xxxxxxxxxxxxxxxxx> wrote: > Can you elaborate on the different set of SELinux labels/permissions > for depmod? Fedora ships with SELinux enforcing enabled and we've not > had any issues with depmod being under the system_u:object_r:bin_t:s0 > label. I'm curious what you're trying to set depmod to and why. That's because Fedora uses a "targeted" SELinux policy by default and therefore only restricts the permissions of daemons. Users are "unconfined" - they keep their full permission set. Depmod is called interactively and gets full root access, just as without SELinux. I use a "strict" policy which also restricts users. In that case, root normally doesn't have the permissions needed by modprobe or depmod. Thus, they have to be labeled specially: depmod_t for depmod and insmod_t for the other kmod tools. > This seems somewhat over-engineered. Wouldn't it be simpler to copy > the kmod binary itself to a real file called 'depmod' during the > installation? You're absolutely right. I just didn't think of that. In some cases this might create an unpleasant size overhead, but for kmod that overhead is negligible. Since kmod's make install target doesn't create the symlinks, it also doesn't have to care about this. I therefore withdraw my proposal. However, in case you add the functionality of creating the symlinks to the Makefile in the future, it would be neat to offer this approach as a configurable alternative. (Only for depmod, though, the other tools can stay symlinks). Regards, Luis Ressel
Attachment:
signature.asc
Description: PGP signature
