All of lore.kernel.org
 help / color / mirror / Atom feed
* [refpolicy] udev and secure_mode_insmod in selinux-policy-3.9.7-10.fc14 and later
       [not found] <4D26637F.9090503@catseye.org>
@ 2011-01-07 15:22 ` Daniel J Walsh
  0 siblings, 0 replies; only message in thread
From: Daniel J Walsh @ 2011-01-07 15:22 UTC (permalink / raw)
  To: refpolicy

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/06/2011 07:51 PM, Mark Montague wrote:
> Under selinux-policy-3.9.7-7.fc14 and previous, udev was able to load 
> kernel modules even when secure_mode_insmod=on  Starting with the next 
> policy release, 3.9.7-10.fc14, this fails, resulting in the ethernet 
> device not being configured when the system boots; no denial is logged.
> 
> Setting secure_mode_insmod=off and rebooting results in a working 
> system, but allows other restricted domains to load kernel modules -- 
> which is a shame since I also have unconfined_login=off and 
> secure_mode=on.  So I added a local module with the following rule in 
> order to get the 3.9.7-7.fc14 behavior with secure_mode_insmod=on.  (The 
> seemingly superfluous enclosing "if" is needed to avoid a duplicate rule 
> error).
> 
>      if (secure_mode_insmod) {
>          modutils_domtrans_insmod_uncond(udev_t)
>      }
> 
> My question is:  what is the desired behavior for future policy 
> releases?  Should secure_mode_insmod=on affect udev as it currently does 
> under 3.9.7-10.fc14 and later?  (A literal reading of the description 
> for this boolean implies it should).  Or should a new boolean be added 
> (off by default) to allow administrators to have udev load kernel 
> modules even when secure_mode_insmod=on?  Or something else?
> 
> Apologies if this is actually a non-issue due to lack of understanding 
> on my end (but any education would be welcome in that case!)
> 
> --
>    Mark Montague
>    mark at catseye.org
> 
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 
> 
Lets ask this on refpolicy list, to see if we can get consensus
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk0nL8sACgkQrlYvE4MpobOqdgCdG4Vn8hVcg+qDSp3qPCp9gcpi
ikMAnjZzQU+F9xaqBB7ujZcdWpt+STsp
=M2Xx
-----END PGP SIGNATURE-----

^ permalink raw reply	[flat|nested] only message in thread
only message in thread, other threads:[~2011-01-07 15:22 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <4D26637F.9090503@catseye.org>
2011-01-07 15:22 ` [refpolicy] udev and secure_mode_insmod in selinux-policy-3.9.7-10.fc14 and later Daniel J Walsh

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.