[refpolicy] RFC: secure_mode_policyload revision

Christopher J. PeBenito cpebenito at tresys.com
Fri Sep 23 13:09:02 CDT 2011 

On 9/23/2011 1:37 PM, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 09/23/2011 12:35 PM, Dominick Grift wrote:
>> On Fri, 2011-09-23 at 11:43 -0400, Christopher J. PeBenito wrote:
>>> On 09/23/11 11:04, Dominick Grift wrote:
>>>> On Fri, 2011-09-23 at 10:25 -0400, Christopher J. PeBenito
>>>> wrote:
>>>>> Right now, secure_mode_policyload disables policy loading and
>>>>> Boolean changing.  The latter is to prevent
>>>>> secure_mode_policyload from being turned off.  I was thinking
>>>>> that secure_mode_policyload could be revised by labeling this
>>>>> Boolean, and then only removing access to it when
>>>>> secure_mode_policyload is enabled, so Booleans can still be
>>>>> toggled, except for secure_mode_policyload.  Thoughts?
>>>>>
>>>>
>>>> My thoughts on this are:
>>>>
>>>> Does boolean toggling not involve a policyload? ( I am too lazy
>>>> to add a auditallow rule, but i gather you took that into
>>>> account so must not be the case or policyload must actually not
>>>> refer to load_policy permission )
>>>>
>>>>> Sep 23 16:58:10 x220 dbus[1511]: avc:  received policyload
>>>>> notice (seqno=2) Sep 23 16:58:10 x220 dbus[1138]: avc:
>>>>> received policyload notice (seqno=2) Sep 23 16:58:10 x220
>>>>> dbus-daemon[1138]: dbus[1138]: avc:  received policyload
>>>>> notice (seqno=2) Sep 23 16:58:10 x220 dbus[1138]: [system]
>>>>> Reloaded configuration Sep 23 16:58:10 x220
>>>>> dbus-daemon[1138]: dbus[1138]: [system] Reloaded
>>>>> configuration Sep 23 16:58:10 x220 setsebool: The
>>>>> xend_run_qemu policy boolean was changed to on by root
>>>
>>> Are you sure you're not doing setsebool -P?  That rebuilds the
>>> policy.  If you skip -P, it shouldn't require a policy load.  If
>>> it is triggering a policy load, that is a bug.
>>>
>>
>> I guess you are saying that booleans without -P can be toggled but
>> not with -P.
>>
>> I cannot remember the last time i used setsebool without -P, but
>> ok.

Precisely why I always pushed for real tunables.  Booleans were supposed to be more transient.

>> Pretty insignificant change in my view. Might be confusing for a
>> sysadm but then again, if one uses that boolean one is probably
>> familiar with SELinux.
>
> We might be eventually moving to tunables/booleans which will drop the
> number of booleans to about 4.  Perhaps making this change mute.

Actually, I was thinking about this in a pure functionality sense, not as a policy size optimization.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

More information about the refpolicy mailing list