[refpolicy] RFC: secure_mode_policyload revision

Dominick Grift dominick.grift at gmail.com
Fri Sep 23 10:04:28 CDT 2011


On Fri, 2011-09-23 at 10:25 -0400, Christopher J. PeBenito wrote:
> Right now, secure_mode_policyload disables policy loading and Boolean changing.  The latter is to prevent secure_mode_policyload from being turned off.  I was thinking that secure_mode_policyload could be revised by labeling this Boolean, and then only removing access to it when secure_mode_policyload is enabled, so Booleans can still be toggled, except for secure_mode_policyload.  Thoughts?
> 

My thoughts on this are:

Does boolean toggling not involve a policyload? ( I am too lazy to add a
auditallow rule, but i gather you took that into account so must not be
the case or policyload must actually not refer to load_policy permission
) 

> Sep 23 16:58:10 x220 dbus[1511]: avc:  received policyload notice (seqno=2)
> Sep 23 16:58:10 x220 dbus[1138]: avc:  received policyload notice (seqno=2)
> Sep 23 16:58:10 x220 dbus-daemon[1138]: dbus[1138]: avc:  received policyload notice (seqno=2)
> Sep 23 16:58:10 x220 dbus[1138]: [system] Reloaded configuration
> Sep 23 16:58:10 x220 dbus-daemon[1138]: dbus[1138]: [system] Reloaded configuration
> Sep 23 16:58:10 x220 setsebool: The xend_run_qemu policy boolean was changed to on by root

Besides that i think:

> ## <desc>
> ##	<p>
> ##	Make the specified type used for labeling SELinux Booleans.
> ##	</p>
> ##	<p>
> ##	This makes use of genfscon statements, which are only
> ##	available in the base module.  Thus any module which calls this
> ##	interface must be included in the base module.
> ##	</p>
> ## </desc>

No big deal in this case because selinux module is in base already.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110923/cc53af8f/attachment.bin 


More information about the refpolicy mailing list