[refpolicy] RFC: secure_mode_policyload revision

Christopher J. PeBenito cpebenito at tresys.com
Fri Sep 23 10:43:10 CDT 2011


On 09/23/11 11:04, Dominick Grift wrote:
> On Fri, 2011-09-23 at 10:25 -0400, Christopher J. PeBenito wrote:
>> Right now, secure_mode_policyload disables policy loading and Boolean changing.  The latter is to prevent secure_mode_policyload from being turned off.  I was thinking that secure_mode_policyload could be revised by labeling this Boolean, and then only removing access to it when secure_mode_policyload is enabled, so Booleans can still be toggled, except for secure_mode_policyload.  Thoughts?
>>
> 
> My thoughts on this are:
> 
> Does boolean toggling not involve a policyload? ( I am too lazy to add a
> auditallow rule, but i gather you took that into account so must not be
> the case or policyload must actually not refer to load_policy permission
> ) 
> 
>> Sep 23 16:58:10 x220 dbus[1511]: avc:  received policyload notice (seqno=2)
>> Sep 23 16:58:10 x220 dbus[1138]: avc:  received policyload notice (seqno=2)
>> Sep 23 16:58:10 x220 dbus-daemon[1138]: dbus[1138]: avc:  received policyload notice (seqno=2)
>> Sep 23 16:58:10 x220 dbus[1138]: [system] Reloaded configuration
>> Sep 23 16:58:10 x220 dbus-daemon[1138]: dbus[1138]: [system] Reloaded configuration
>> Sep 23 16:58:10 x220 setsebool: The xend_run_qemu policy boolean was changed to on by root

Are you sure you're not doing setsebool -P?  That rebuilds the policy.  If you skip -P, it shouldn't require a policy load.  If it is triggering a policy load, that is a bug.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com


More information about the refpolicy mailing list