selinux blocks unconfined service from loading kernel module

Douglas Leeder asked:

I have a daemon running as unconfined_service_t SELinux type, on Redhat Enterprise Linux 8:

# ps -eZ | grep savd
system_u:system_r:unconfined_service_t:s0 693 ? 00:00:00 savd

It is trying to load a Linux kernel module using insmod.

SELinux (in enforcing mode) is blocking it:

type=AVC msg=audit(1566572669.301:24): avc:  denied  { module_load } for  pid=815 comm="insmod" path="/opt/sophos-av/talpa/current/talpa_syscallhook.ko" dev="xvda2" ino=48087622 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=system permissive=0

I’ve tried to set domain_kernel_load_modules to allow all domains to load kernel modules:

 setsebool -P domain_kernel_load_modules 1

Just in case I had misunderstood, I tried 0 as well, and rebooting, but loading kernel modules was blocked either way.

audit2allow suggests creating a rule for it, but I thought domain_kernel_load_modules would allow all processes to load kernel modules, so I don’t understand why it isn’t working?

Can I get unconfined services to be able to load kernel modules without creating an additional policy?

The is an AWS instance VM if that matters.

My answer:

Your file containing the kernel module has the security context system_u:object_r:usr_t:s0. This is not the expected type for a kernel module. This makes me think that something went wrong with your installation, as the Sophos should have set the correct security context when it was installed. It could be a bug.

Anyway, the correct type is modules_object_t. You can try changing the type of the file as a workaround, until Sophos fixes the problem. (Which you should also report to them.)

chcon -t modules_object_t /opt/sophos-av/talpa/current/talpa_syscallhook.ko

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.