[refpolicy] In Fedora policy we have simplified the secure_mode_insmod

Christopher J. PeBenito cpebenito at tresys.com
Fri Sep 9 10:56:09 CDT 2011


On 09/09/11 07:22, Daniel J Walsh wrote:
> Now this boolean controls sys_module, so we always transition but we
> can turn off the ability to insert modules into the kernel.
> 
> This is much simpler then what we had before.
> 
> If you like this I have a similar patch for secure_mode_loadpolicy

So with the current implementation, there are conditional module loaders and unconditional module loaders.  Do we really want to make all module loading conditional?  I'm fine with that, but are there reasons to keep the current conditional/unconditional behavior?  If so we can still keep that functionality, but implement it similar to this patch.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com


More information about the refpolicy mailing list