Selinux 阻止了我的外部核心模組

我正在嘗試以永久模式插入外部核心模組。systemd-modules-load在引導期間，只要Selinux允許，我的模組就會被服務載入。但我想保持強制模式。我無法Selinux使用命令將我的模組插入到列表中semodule。我還能做什麼？這是我的環境：

Fedora release 27
Kernel version 4.18.19-100.fc27.x86_64

rpm -qa ‘selinux-*’ 輸出：

selinux-policy-targeted-3.13.1-284.37.fc27.noarch
selinux-policy-3.13.1-284.37.fc27.noarch

狀態輸出：

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      31

systemctl status systemd-modules-load.service 輸出：

● systemd-modules-load.service - Load Kernel Modules
  Loaded: loaded (/usr/lib/systemd/system/systemd-modules-load.service; static; vendor preset: disabled)
  Active: failed (Result: exit-code) since Fri 2018-12-14 09:50:42 CET; 19min ago
    Docs: man:systemd-modules-load.service(8)
          man:modules-load.d(5)
 Process: 4397 ExecStart=/usr/lib/systemd/systemd-modules-load (code=exited, status=1/FAILURE)
Main PID: 4397 (code=exited, status=1/FAILURE)

dic 14 09:50:42 localhost.localdomain systemd[1]: Starting Load Kernel Modules...
dic 14 09:50:42 localhost.localdomain systemd-modules-load[4397]: Failed to insert 'hello': Permission denied
dic 14 09:50:42 localhost.localdomain systemd[1]: systemd-modules-load.service: Main process exited, code=exited, status=1/FAILURE
dic 14 09:50:42 localhost.localdomain systemd[1]: Failed to start Load Kernel Modules.
dic 14 09:50:42 localhost.localdomain systemd[1]: systemd-modules-load.service: Unit entered failed state.
dic 14 09:50:42 localhost.localdomain systemd[1]: systemd-modules-load.service: Failed with result 'exit-code'.

ls -lZ /usr/lib/systemd/systemd-modules-load 輸出：

-rwxr-xr-x. 1 root root system_u:object_r:systemd_modules_load_exec_t:s0 15576  4 mag  2018 /usr/lib/systemd/systemd-modules-load

---

/var/log/audit/audit.log

type=SELINUX_ERR msg=audit(1533716850.521:304): op=security_bounded_transition seresult=denied oldcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 newcontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023
type=SELINUX_ERR msg=audit(1533716850.596:305): op=security_bounded_transition seresult=denied oldcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 newcontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023
type=SELINUX_ERR msg=audit(1533716851.081:306): op=security_bounded_transition seresult=denied oldcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 newcontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023
type=SELINUX_ERR msg=audit(1533716851.422:307): op=security_bounded_transition seresult=denied oldcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 newcontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023
..
type=SELINUX_ERR msg=audit(1533717134.510:310): op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:init_t:s0 newcontext=system_u:system_r:fprintd_t:s0

---

journalctl -xeb -u systemd-modules-load.service

L'unità systemd-modules-load.service ha iniziato la fase di avvio.
dic 13 16:38:08 localhost.localdomain systemd-modules-load[14937]: Failed to insert 'hello': Permission denied
dic 13 16:38:08 localhost.localdomain systemd[1]: systemd-modules-load.service: Main process exited, code=exited, status=1/FAILURE
dic 13 16:38:08 localhost.localdomain systemd[1]: Failed to start Load Kernel Modules. -- Subject: L'unità systemd-modules-load.service è fallita

ls -Z

   system_u:object_r:modules_object_t:s0 bls.conf             unconfined_u:object_r:modules_object_t:s0 modules.devname
   system_u:object_r:modules_object_t:s0 build                    system_u:object_r:modules_object_t:s0 modules.drm
   system_u:object_r:modules_object_t:s0 config                   system_u:object_r:modules_object_t:s0 modules.modesetting
   system_u:object_r:modules_object_t:s0 extra                    system_u:object_r:modules_object_t:s0 modules.networking
unconfined_u:object_r:modules_object_t:s0 hello.ko                 system_u:object_r:modules_object_t:s0 modules.order
   system_u:object_r:modules_object_t:s0 kernel               unconfined_u:object_r:modules_object_t:s0 modules.softdep
unconfined_u:object_r:modules_object_t:s0 modules.alias        unconfined_u:object_r:modules_object_t:s0 modules.symbols
unconfined_u:object_r:modules_object_t:s0 modules.alias.bin    unconfined_u:object_r:modules_object_t:s0 modules.symbols.bin
   system_u:object_r:modules_object_t:s0 modules.block            system_u:object_r:modules_object_t:s0 source
   system_u:object_r:modules_object_t:s0 modules.builtin          system_u:object_r:modules_object_t:s0 System.map
unconfined_u:object_r:modules_object_t:s0 modules.builtin.bin      system_u:object_r:modules_object_t:s0 updates
unconfined_u:object_r:modules_object_t:s0 modules.dep              system_u:object_r:modules_object_t:s0 vdso
unconfined_u:object_r:modules_object_t:s0 modules.dep.bin                     system_u:object_r:usr_t:s0 vmlinuz

我的模組在

/lib/modules/$(uname -r)

解決了！建構核心模組後，我將其放入目錄/lib/modules/$(uname -r)/kernel/drivers/net中。然後用命令depmod我解決了這個問題。現在它在每次啟動後載入。

從安全的角度來看，這可能並不理想……但是您可以嘗試通過調整此 SELinux 布爾值來解決此問題，同時Enforcing通過允許任何域載入核心模組來保持模式：

$ sudo semanage boolean --list | grep domain_kernel_load_modules
domain_kernel_load_modules     (off  ,  off)  Allow all domains to have the kernel load modules

您可以使用以下方法對其進行調整：

$ sudo semanage boolean --modify --on domain_kernel_load_modules

此操作實際上會修改已編譯的 SELinux 策略，因此一旦您執行該命令，它就是永久的（無需在進一步重新啟動時再次執行它。）

引用自：https://unix.stackexchange.com/questions/487786