Package: kmod
Version: 26+20191223-1
File: /usr/share/initramfs-tools/hooks/kmod
User: [email protected]
Usertags: selinux
Hi,
currently the kmod hook for initramfs uses 'cp -a' to gather the files
for the initramfs.
'-a' unfolds to '-dR --preserve=all' and 'preserve=all' forces cp to
copy an existing SELinux context.
This results into odd denials/permission-requests like:
type=PROCTITLE msg=audit(01/07/20 17:26:43.395:10391) : proctitle=cp
-a /sbin/modprobe /sbin/rmmod /var/tmp/mkinitramfs_4AmET1/sbin/
type=PATH msg=audit(01/07/20 17:26:43.395:10391) : item=2
name=/var/tmp/mkinitramfs_4AmET1/sbin/modprobe nametype=CREATE
cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(01/07/20 17:26:43.395:10391) : item=1
name=/var/tmp/mkinitramfs_4AmET1/sbin/ inode=1742 dev=08:01
mode=dir,755 ouid=root ogid=root rdev=00:00
obj=root:object_r:initramfs_tmp_t:s0 nametype=PARENT cap_fp=none
cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(01/07/20 17:26:43.395:10391) : item=0
name=/bin/kmod nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0
cap_fver=0 cap_frootid=0
type=CWD msg=audit(01/07/20 17:26:43.395:10391) :
cwd=/root/workspace/selinux/selinux-policy-debian
type=SYSCALL msg=audit(01/07/20 17:26:43.395:10391) : arch=x86_64
syscall=symlinkat success=no exit=EACCES(Permission denied)
a0=0x55fc999d26f0 a1=0xffffff9c a2=0x55fc999d2670 a3=0x55fc98209780
items=3 ppid=62060 pid=62061 auid=root uid=root gid=root euid=root
suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=1
comm=cp exe=/usr/bin/cp subj=root:sysadm_r:initramfs_t:s0-s0:c0.c1023
key=(null)
type=AVC msg=audit(01/07/20 17:26:43.395:10391) : avc: denied {
create } for pid=62061 comm=cp name=modprobe
scontext=root:sysadm_r:initramfs_t:s0-s0:c0.c1023
tcontext=system_u:object_r:bin_t:s0 tclass=lnk_file permissive=0
----
type=PROCTITLE msg=audit(01/07/20 17:26:43.399:10392) : proctitle=cp
-a /sbin/modprobe /sbin/rmmod /var/tmp/mkinitramfs_4AmET1/sbin/
type=PATH msg=audit(01/07/20 17:26:43.399:10392) : item=2
name=/var/tmp/mkinitramfs_4AmET1/sbin/rmmod nametype=CREATE
cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(01/07/20 17:26:43.399:10392) : item=1
name=/var/tmp/mkinitramfs_4AmET1/sbin/ inode=1742 dev=08:01
mode=dir,755 ouid=root ogid=root rdev=00:00
obj=root:object_r:initramfs_tmp_t:s0 nametype=PARENT cap_fp=none
cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(01/07/20 17:26:43.399:10392) : item=0
name=/bin/kmod nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0
cap_fver=0 cap_frootid=0
type=CWD msg=audit(01/07/20 17:26:43.399:10392) :
cwd=/root/workspace/selinux/selinux-policy-debian
type=SYSCALL msg=audit(01/07/20 17:26:43.399:10392) : arch=x86_64
syscall=symlinkat success=no exit=EACCES(Permission denied)
a0=0x55fc999d2940 a1=0xffffff9c a2=0x55fc999d28f0 a3=0x1 items=3
ppid=62060 pid=62061 auid=root uid=root gid=root euid=root suid=root
fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=1 comm=cp
exe=/usr/bin/cp subj=root:sysadm_r:initramfs_t:s0-s0:c0.c1023
key=(null)
type=AVC msg=audit(01/07/20 17:26:43.399:10392) : avc: denied {
create } for pid=62061 comm=cp name=rmmod
scontext=root:sysadm_r:initramfs_t:s0-s0:c0.c1023
tcontext=system_u:object_r:bin_t:s0 tclass=lnk_file permissive=0
These copied files should not inherited the original bin_t context or
at least it should be configured by the SELinux policy writer.
Please consider using the option 'no-preserve=context,xattr'.
Best regards
Christian Göttsche
--- /root/workspace/initramfs-hooks.kmod 2020-01-07
21:23:47.122917969 +0100
+++ /usr/share/initramfs-tools/hooks/kmod 2020-01-07
21:24:19.062430686 +0100
@@ -7,10 +7,10 @@
. /usr/share/initramfs-tools/hook-functions
copy_exec /bin/kmod
-cp -a /sbin/modprobe /sbin/rmmod "$DESTDIR/sbin/"
+cp -a --no-preserve=context,xattr /sbin/modprobe /sbin/rmmod "$DESTDIR/sbin/"
mkdir -p "$DESTDIR/lib/modprobe.d/"
if [ "$(echo /lib/modprobe.d/*)" != "/lib/modprobe.d/*" ]; then
- cp -a /lib/modprobe.d/* "$DESTDIR/lib/modprobe.d/"
+ cp -a --no-preserve=context,xattr /lib/modprobe.d/*
"$DESTDIR/lib/modprobe.d/"
fi
