[refpolicy] RFC: secure_mode_policyload revision

From: dwalsh@redhat.com (Daniel J Walsh)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] RFC: secure_mode_policyload revision
Date: Fri, 23 Sep 2011 13:37:41 -0400	[thread overview]
Message-ID: <4E7CC3E5.2030600@redhat.com> (raw)
In-Reply-To: <1316795704.1931.41.camel@x220.mydomain.internal>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/23/2011 12:35 PM, Dominick Grift wrote:
> On Fri, 2011-09-23 at 11:43 -0400, Christopher J. PeBenito wrote:
>> On 09/23/11 11:04, Dominick Grift wrote:
>>> On Fri, 2011-09-23 at 10:25 -0400, Christopher J. PeBenito
>>> wrote:
>>>> Right now, secure_mode_policyload disables policy loading and
>>>> Boolean changing.  The latter is to prevent
>>>> secure_mode_policyload from being turned off.  I was thinking
>>>> that secure_mode_policyload could be revised by labeling this
>>>> Boolean, and then only removing access to it when
>>>> secure_mode_policyload is enabled, so Booleans can still be
>>>> toggled, except for secure_mode_policyload.  Thoughts?
>>>> 
>>> 
>>> My thoughts on this are:
>>> 
>>> Does boolean toggling not involve a policyload? ( I am too lazy
>>> to add a auditallow rule, but i gather you took that into
>>> account so must not be the case or policyload must actually not
>>> refer to load_policy permission )
>>> 
>>>> Sep 23 16:58:10 x220 dbus[1511]: avc:  received policyload
>>>> notice (seqno=2) Sep 23 16:58:10 x220 dbus[1138]: avc:
>>>> received policyload notice (seqno=2) Sep 23 16:58:10 x220
>>>> dbus-daemon[1138]: dbus[1138]: avc:  received policyload
>>>> notice (seqno=2) Sep 23 16:58:10 x220 dbus[1138]: [system]
>>>> Reloaded configuration Sep 23 16:58:10 x220
>>>> dbus-daemon[1138]: dbus[1138]: [system] Reloaded
>>>> configuration Sep 23 16:58:10 x220 setsebool: The
>>>> xend_run_qemu policy boolean was changed to on by root
>> 
>> Are you sure you're not doing setsebool -P?  That rebuilds the
>> policy.  If you skip -P, it shouldn't require a policy load.  If
>> it is triggering a policy load, that is a bug.
>> 
> 
> I guess you are saying that booleans without -P can be toggled but
> not with -P.
> 
> I cannot remember the last time i used setsebool without -P, but
> ok.
> 
> Pretty insignificant change in my view. Might be confusing for a
> sysadm but then again, if one uses that boolean one is probably
> familiar with SELinux.
> 
> 
> 
> _______________________________________________ refpolicy mailing
> list refpolicy at oss.tresys.com 
> http://oss.tresys.com/mailman/listinfo/refpolicy


We might be eventually moving to tunables/booleans which will drop the
number of booleans to about 4.  Perhaps making this change mute.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk58w+QACgkQrlYvE4MpobOlpgCgvOFWqUr38WIH05f/37WU1jeV
kLoAni2niq/5eLBHpP3cZqfazGSMuMx+
=/Ibz
-----END PGP SIGNATURE-----