[refpolicy] In Fedora policy we have simplified the secure_mode_insmod

Daniel J Walsh dwalsh at redhat.com
Sat Sep 10 04:55:02 CDT 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/09/2011 11:56 AM, Christopher J. PeBenito wrote:
> On 09/09/11 07:22, Daniel J Walsh wrote:
>> Now this boolean controls sys_module, so we always transition but
>> we can turn off the ability to insert modules into the kernel.
>> 
>> This is much simpler then what we had before.
>> 
>> If you like this I have a similar patch for
>> secure_mode_loadpolicy
> 
> So with the current implementation, there are conditional module
> loaders and unconditional module loaders.  Do we really want to
> make all module loading conditional?  I'm fine with that, but are
> there reasons to keep the current conditional/unconditional
> behavior?  If so we can still keep that functionality, but
> implement it similar to this patch.
> 
I think this should be unconditional.  If you want to shutoff loading
kernel modules, this patch will do it even with unconfined programs
running.  It would be a pain to run with this system, but at least the
users know that at a certain state of the machine no kernel modules
can be loaded.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk5rM/YACgkQrlYvE4MpobNsbwCeJEp1ifXL0FRCb9VHEdjGR19u
UxEAn1w72gMHuca4LuzoyHcJQyYjSJ9F
=NXlE
-----END PGP SIGNATURE-----


More information about the refpolicy mailing list