1

I have a daemon running as unconfined_service_t SELinux type, on Redhat Enterprise Linux 8:

# ps -eZ | grep savd
system_u:system_r:unconfined_service_t:s0 693 ? 00:00:00 savd

It is trying to load a Linux kernel module using insmod.

SELinux (in enforcing mode) is blocking it:

type=AVC msg=audit(1566572669.301:24): avc:  denied  { module_load } for  pid=815 comm="insmod" path="/opt/sophos-av/talpa/current/talpa_syscallhook.ko" dev="xvda2" ino=48087622 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=system permissive=0

I've tried to set domain_kernel_load_modules to allow all domains to load kernel modules:

 setsebool -P domain_kernel_load_modules 1

Just in case I had misunderstood, I tried 0 as well, and rebooting, but loading kernel modules was blocked either way.

audit2allow suggests creating a rule for it, but I thought domain_kernel_load_modules would allow all processes to load kernel modules, so I don't understand why it isn't working?

Can I get unconfined services to be able to load kernel modules without creating an additional policy?

The is an AWS instance VM if that matters.

Douglas Leeder
  • 2,745
  • 18
  • 15

1 Answers1

2

Your file containing the kernel module has the security context system_u:object_r:usr_t:s0. This is not the expected type for a kernel module. This makes me think that something went wrong with your installation, as the Sophos should have set the correct security context when it was installed. It could be a bug.

Anyway, the correct type is modules_object_t. You can try changing the type of the file as a workaround, until Sophos fixes the problem. (Which you should also report to them.)

chcon -t modules_object_t /opt/sophos-av/talpa/current/talpa_syscallhook.ko
Michael Hampton
  • 244,070
  • 43
  • 506
  • 972
  • That sounds promising, unfortunately the talpa modules are unpacked from a tarfile, just before being loaded. Maybe directory permissions will be replicated down? I can't find any documentation for modules_object_t - do you know where it might be? – Douglas Leeder Aug 27 '19 at 09:00
  • Who knows about documentation? I just looked at the type on a running system. Based on your description, I expect you probably ought to be yelling at the vendor. – Michael Hampton Aug 27 '19 at 09:03
  • Thanks. I've verified it works - you can set the whole /opt/sophos-av/talpa directory to be modules_object_t, and then it can load Talpa up. – Douglas Leeder Aug 27 '19 at 09:43
  • 1
    You can configure that SELinux type for the files using: `semanage fcontext -a -t modules_object_t /opt/sophos-av/talpa(/.*)?`. See [SELinux Contexts — Labeling Files](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-working_with_selinux-selinux_contexts_labeling_files) for more information about that. – filbranden Aug 28 '19 at 04:25
  • @filbranden Yes, this will work, but also Sophos should be doing this. – Michael Hampton Aug 28 '19 at 06:46
  • @MichaelHampton I don't think they can do that as part of a tarball unpacking... But one thing they *could* do is ship.this to be installed in the proper location, which is somewhere under `/lib/modules`. (Often the answer to SELinux issues is to **use the proper location**, where labels will just work correctly.) – filbranden Aug 28 '19 at 10:08