Douglas Leeder's questions -server

Douglas Leeder

Asked: 2019-08-24 07:17:59 +0800 CST

selinux blocks unconfined service from loading kernel module

I have a daemon running as unconfined_service_t SELinux type, on Redhat Enterprise Linux 8:

# ps -eZ | grep savd
system_u:system_r:unconfined_service_t:s0 693 ? 00:00:00 savd

It is trying to load a Linux kernel module using insmod.

SELinux (in enforcing mode) is blocking it:

type=AVC msg=audit(1566572669.301:24): avc:  denied  { module_load } for  pid=815 comm="insmod" path="/opt/sophos-av/talpa/current/talpa_syscallhook.ko" dev="xvda2" ino=48087622 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=system permissive=0

I've tried to set domain_kernel_load_modules to allow all domains to load kernel modules:

 setsebool -P domain_kernel_load_modules 1

Just in case I had misunderstood, I tried 0 as well, and rebooting, but loading kernel modules was blocked either way.

audit2allow suggests creating a rule for it, but I thought domain_kernel_load_modules would allow all processes to load kernel modules, so I don't understand why it isn't working?

Can I get unconfined services to be able to load kernel modules without creating an additional policy?

The is an AWS instance VM if that matters.

selinux blocks unconfined service from loading kernel module

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?