1kmod_selinux(8)               SELinux Policy kmod              kmod_selinux(8)
2
3
4

NAME

6       kmod_selinux - Security Enhanced Linux Policy for the kmod processes
7

DESCRIPTION

9       Security-Enhanced  Linux secures the kmod processes via flexible manda‐
10       tory access control.
11
12       The kmod processes execute with the kmod_t SELinux type. You can  check
13       if  you  have  these processes running by executing the ps command with
14       the -Z qualifier.
15
16       For example:
17
18       ps -eZ | grep kmod_t
19
20
21

ENTRYPOINTS

23       The kmod_t SELinux type can be entered via the kmod_exec_t file type.
24
25       The default entrypoint paths for the kmod_t domain are the following:
26
27       /sbin/rmmod.*,   /sbin/depmod.*,   /sbin/insmod.*,    /sbin/modprobe.*,
28       /usr/sbin/rmmod.*,        /usr/sbin/depmod.*,       /usr/sbin/insmod.*,
29       /usr/sbin/modprobe.*, /bin/kmod,  /usr/bin/kmod,  /sbin/modules-update,
30       /sbin/update-modules,  /usr/sbin/modules-update,  /usr/sbin/update-mod‐
31       ules, /sbin/generate-modprobe.conf, /usr/sbin/generate-modprobe.conf
32

PROCESS TYPES

34       SELinux defines process types (domains) for each process running on the
35       system
36
37       You can see the context of a process using the -Z option to ps
38
39       Policy  governs  the  access confined processes have to files.  SELinux
40       kmod policy is very flexible allowing users to setup  their  kmod  pro‐
41       cesses in as secure a method as possible.
42
43       The following process types are defined for kmod:
44
45       kmod_t
46
47       Note:  semanage  permissive  -a  kmod_t can be used to make the process
48       type kmod_t permissive. SELinux does  not  deny  access  to  permissive
49       process  types, but the AVC (SELinux denials) messages are still gener‐
50       ated.
51
52

BOOLEANS

54       SELinux policy is customizable based on least  access  required.   kmod
55       policy is extremely flexible and has several booleans that allow you to
56       manipulate the policy and run kmod with the tightest access possible.
57
58
59
60       If you want to control the ability to mmap a low area  of  the  address
61       space,  as  configured  by /proc/sys/vm/mmap_min_addr, you must turn on
62       the mmap_low_allowed boolean. Disabled by default.
63
64       setsebool -P mmap_low_allowed 1
65
66
67
68       If you want to disable kernel module loading, you must turn on the  se‐
69       cure_mode_insmod boolean. Enabled by default.
70
71       setsebool -P secure_mode_insmod 1
72
73
74
75       If  you  want to allow unconfined executables to make their heap memory
76       executable.  Doing this is a really  bad  idea.  Probably  indicates  a
77       badly  coded  executable, but could indicate an attack. This executable
78       should be reported in bugzilla, you must turn  on  the  selinuxuser_ex‐
79       echeap boolean. Disabled by default.
80
81       setsebool -P selinuxuser_execheap 1
82
83
84
85       If  you  want  to allow unconfined executables to make their stack exe‐
86       cutable.  This should never, ever be necessary.  Probably  indicates  a
87       badly  coded  executable, but could indicate an attack. This executable
88       should be reported in bugzilla, you must turn on the  selinuxuser_exec‐
89       stack boolean. Enabled by default.
90
91       setsebool -P selinuxuser_execstack 1
92
93
94

MANAGED FILES

96       The  SELinux process type kmod_t can manage files labeled with the fol‐
97       lowing file types.  The paths listed are the default  paths  for  these
98       file types.  Note the processes UID still need to have DAC permissions.
99
100       file_type
101
102            all files on the system
103
104

FILE CONTEXTS

106       SELinux requires files to have an extended attribute to define the file
107       type.
108
109       You can see the context of a file using the -Z option to ls
110
111       Policy governs the access  confined  processes  have  to  these  files.
112       SELinux kmod policy is very flexible allowing users to setup their kmod
113       processes in as secure a method as possible.
114
115       STANDARD FILE CONTEXT
116
117       SELinux defines the file context types for the kmod, if you  wanted  to
118       store  files  with  these types in a diffent paths, you need to execute
119       the semanage command to specify alternate labeling  and  then  use  re‐
120       storecon to put the labels on disk.
121
122       semanage fcontext -a -t kmod_tmpfs_t '/srv/mykmod_content(/.*)?'
123       restorecon -R -v /srv/mykmod_content
124
125       Note:  SELinux  often  uses  regular expressions to specify labels that
126       match multiple files.
127
128       The following file types are defined for kmod:
129
130
131
132       kmod_exec_t
133
134       - Set files with the kmod_exec_t type, if you want to transition an ex‐
135       ecutable to the kmod_t domain.
136
137
138       Paths:
139            /sbin/rmmod.*,  /sbin/depmod.*,  /sbin/insmod.*, /sbin/modprobe.*,
140            /usr/sbin/rmmod.*,     /usr/sbin/depmod.*,     /usr/sbin/insmod.*,
141            /usr/sbin/modprobe.*,  /bin/kmod, /usr/bin/kmod, /sbin/modules-up‐
142            date,       /sbin/update-modules,        /usr/sbin/modules-update,
143            /usr/sbin/update-modules,            /sbin/generate-modprobe.conf,
144            /usr/sbin/generate-modprobe.conf
145
146
147       kmod_tmp_t
148
149       - Set files with the kmod_tmp_t type, if you want to store kmod  tempo‐
150       rary files in the /tmp directories.
151
152
153
154       kmod_tmpfs_t
155
156       - Set files with the kmod_tmpfs_t type, if you want to store kmod files
157       on a tmpfs file system.
158
159
160
161       kmod_var_run_t
162
163       - Set files with the kmod_var_run_t type, if you want to store the kmod
164       files under the /run or /var/run directory.
165
166
167
168       Note:  File context can be temporarily modified with the chcon command.
169       If you want to permanently change the file context you need to use  the
170       semanage fcontext command.  This will modify the SELinux labeling data‐
171       base.  You will need to use restorecon to apply the labels.
172
173

COMMANDS

175       semanage fcontext can also be used to manipulate default  file  context
176       mappings.
177
178       semanage  permissive  can  also  be used to manipulate whether or not a
179       process type is permissive.
180
181       semanage module can also be used to enable/disable/install/remove  pol‐
182       icy modules.
183
184       semanage boolean can also be used to manipulate the booleans
185
186
187       system-config-selinux is a GUI tool available to customize SELinux pol‐
188       icy settings.
189
190

AUTHOR

192       This manual page was auto-generated using sepolicy manpage .
193
194

SEE ALSO

196       selinux(8), kmod(8), semanage(8), restorecon(8), chcon(1), sepolicy(8),
197       setsebool(8)
198
199
200
201kmod                               23-02-03                    kmod_selinux(8)
Impressum