Hello, when a userspace program A (usually kmod or udev) instructs the kernel to load a kernel module via the finit_module syscall, the kernel loads the module into its address space and executes the initalization routine provided by the module. This initialization routine then runs in A's SELinux domain. While that makes sense implementation-wise and is indeed what I'd expected (going by my admittely fairly basic understanding of the SELinux internals), I'm not sure whether this is how the kernel should behave. For example, this behaviour is currently triggering a bug on my systems: Since Linux 4.8, most graphics drivers need CAP_SYS_ADMIN during their module initialization (due to what is probably a kernel bug). Hence, loading them with udev works fine because my SELinux policy allows udev to use this capability, but those modules can't be loaded manually with kmod/modprobe. I could of course work around that by granting kmod the 'self:capability sys_admin' permission, but I'm reluctant to do this since kmod itself does not require CAP_SYS_ADMIN for its operations. Any thoughts on this matter? Regards, Luis Ressel _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
