I have a daemon running as unconfined_service_t SELinux type, on Redhat Enterprise Linux 8:
# ps -eZ | grep savd
system_u:system_r:unconfined_service_t:s0 693 ? 00:00:00 savd
It is trying to load a Linux kernel module using insmod.
SELinux (in enforcing mode) is blocking it:
type=AVC msg=audit(1566572669.301:24): avc: denied { module_load } for pid=815 comm="insmod" path="/opt/sophos-av/talpa/current/talpa_syscallhook.ko" dev="xvda2" ino=48087622 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=system permissive=0
I've tried to set domain_kernel_load_modules to allow all domains to load kernel modules:
setsebool -P domain_kernel_load_modules 1
Just in case I had misunderstood, I tried 0 as well, and rebooting, but loading kernel modules was blocked either way.
audit2allow suggests creating a rule for it, but I thought domain_kernel_load_modules would allow all processes to load kernel modules, so I don't understand why it isn't working?
Can I get unconfined services to be able to load kernel modules without creating an additional policy?
The is an AWS instance VM if that matters.
Your file containing the kernel module has the security context
system_u:object_r:usr_t:s0. This is not the expected type for a kernel module. This makes me think that something went wrong with your installation, as the Sophos should have set the correct security context when it was installed. It could be a bug.Anyway, the correct type is
modules_object_t. You can try changing the type of the file as a workaround, until Sophos fixes the problem. (Which you should also report to them.)