[refpolicy] RFC: secure_mode_policyload revision

Dominick Grift dominick.grift at gmail.com
Fri Sep 23 11:35:04 CDT 2011


On Fri, 2011-09-23 at 11:43 -0400, Christopher J. PeBenito wrote:
> On 09/23/11 11:04, Dominick Grift wrote:
> > On Fri, 2011-09-23 at 10:25 -0400, Christopher J. PeBenito wrote:
> >> Right now, secure_mode_policyload disables policy loading and Boolean changing.  The latter is to prevent secure_mode_policyload from being turned off.  I was thinking that secure_mode_policyload could be revised by labeling this Boolean, and then only removing access to it when secure_mode_policyload is enabled, so Booleans can still be toggled, except for secure_mode_policyload.  Thoughts?
> >>
> > 
> > My thoughts on this are:
> > 
> > Does boolean toggling not involve a policyload? ( I am too lazy to add a
> > auditallow rule, but i gather you took that into account so must not be
> > the case or policyload must actually not refer to load_policy permission
> > ) 
> > 
> >> Sep 23 16:58:10 x220 dbus[1511]: avc:  received policyload notice (seqno=2)
> >> Sep 23 16:58:10 x220 dbus[1138]: avc:  received policyload notice (seqno=2)
> >> Sep 23 16:58:10 x220 dbus-daemon[1138]: dbus[1138]: avc:  received policyload notice (seqno=2)
> >> Sep 23 16:58:10 x220 dbus[1138]: [system] Reloaded configuration
> >> Sep 23 16:58:10 x220 dbus-daemon[1138]: dbus[1138]: [system] Reloaded configuration
> >> Sep 23 16:58:10 x220 setsebool: The xend_run_qemu policy boolean was changed to on by root
> 
> Are you sure you're not doing setsebool -P?  That rebuilds the policy.  If you skip -P, it shouldn't require a policy load.  If it is triggering a policy load, that is a bug.
> 

I guess you are saying that booleans without -P can be toggled but not
with -P.

I cannot remember the last time i used setsebool without -P, but ok.

Pretty insignificant change in my view. Might be confusing for a sysadm
but then again, if one uses that boolean one is probably familiar with
SELinux.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110923/8bfd62da/attachment.bin 


More information about the refpolicy mailing list