Re: Proposal: Add a depmod wrapper for kmod to aid SELinux

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 17 Feb 2014 08:47:05 -0500
Josh Boyer <jwboyer@xxxxxxxxxxxxxxxxx> wrote:

> Can you elaborate on the different set of SELinux labels/permissions
> for depmod?  Fedora ships with SELinux enforcing enabled and we've not
> had any issues with depmod being under the system_u:object_r:bin_t:s0
> label.  I'm curious what you're trying to set depmod to and why.

That's because Fedora uses a "targeted" SELinux policy by default and
therefore only restricts the permissions of daemons. Users are
"unconfined" - they keep their full permission set. Depmod is called
interactively and gets full root access, just as without SELinux.

I use a "strict" policy which also restricts users. In that case, root
normally doesn't have the permissions needed by modprobe or depmod.
Thus, they have to be labeled specially: depmod_t for depmod and
insmod_t for the other kmod tools.

> This seems somewhat over-engineered.  Wouldn't it be simpler to copy
> the kmod binary itself to a real file called 'depmod' during the
> installation?

You're absolutely right. I just didn't think of that. In some cases
this might create an unpleasant size overhead, but for kmod that
overhead is negligible. Since kmod's make install target doesn't create
the symlinks, it also doesn't have to care about this. I therefore
withdraw my proposal.

However, in case you add the functionality of creating the symlinks to
the Makefile in the future, it would be neat to offer this approach as
a configurable alternative. (Only for depmod, though, the other tools
can stay symlinks).


Regards,
Luis Ressel

Attachment: signature.asc
Description: PGP signature


[Index of Archives]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [Big List of Linux Books]

  Powered by Linux