From: cpebenito@tresys.com (Christopher J. PeBenito)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] RFC: secure_mode_policyload revision
Date: Fri, 23 Sep 2011 14:09:02 -0400 [thread overview]
Message-ID: <4E7CCB3E.9090805@tresys.com> (raw)
In-Reply-To: <4E7CC3E5.2030600@redhat.com>
On 9/23/2011 1:37 PM, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 09/23/2011 12:35 PM, Dominick Grift wrote:
>> On Fri, 2011-09-23 at 11:43 -0400, Christopher J. PeBenito wrote:
>>> On 09/23/11 11:04, Dominick Grift wrote:
>>>> On Fri, 2011-09-23 at 10:25 -0400, Christopher J. PeBenito
>>>> wrote:
>>>>> Right now, secure_mode_policyload disables policy loading and
>>>>> Boolean changing. The latter is to prevent
>>>>> secure_mode_policyload from being turned off. I was thinking
>>>>> that secure_mode_policyload could be revised by labeling this
>>>>> Boolean, and then only removing access to it when
>>>>> secure_mode_policyload is enabled, so Booleans can still be
>>>>> toggled, except for secure_mode_policyload. Thoughts?
>>>>>
>>>>
>>>> My thoughts on this are:
>>>>
>>>> Does boolean toggling not involve a policyload? ( I am too lazy
>>>> to add a auditallow rule, but i gather you took that into
>>>> account so must not be the case or policyload must actually not
>>>> refer to load_policy permission )
>>>>
>>>>> Sep 23 16:58:10 x220 dbus[1511]: avc: received policyload
>>>>> notice (seqno=2) Sep 23 16:58:10 x220 dbus[1138]: avc:
>>>>> received policyload notice (seqno=2) Sep 23 16:58:10 x220
>>>>> dbus-daemon[1138]: dbus[1138]: avc: received policyload
>>>>> notice (seqno=2) Sep 23 16:58:10 x220 dbus[1138]: [system]
>>>>> Reloaded configuration Sep 23 16:58:10 x220
>>>>> dbus-daemon[1138]: dbus[1138]: [system] Reloaded
>>>>> configuration Sep 23 16:58:10 x220 setsebool: The
>>>>> xend_run_qemu policy boolean was changed to on by root
>>>
>>> Are you sure you're not doing setsebool -P? That rebuilds the
>>> policy. If you skip -P, it shouldn't require a policy load. If
>>> it is triggering a policy load, that is a bug.
>>>
>>
>> I guess you are saying that booleans without -P can be toggled but
>> not with -P.
>>
>> I cannot remember the last time i used setsebool without -P, but
>> ok.
Precisely why I always pushed for real tunables. Booleans were supposed to be more transient.
>> Pretty insignificant change in my view. Might be confusing for a
>> sysadm but then again, if one uses that boolean one is probably
>> familiar with SELinux.
>
> We might be eventually moving to tunables/booleans which will drop the
> number of booleans to about 4. Perhaps making this change mute.
Actually, I was thinking about this in a pure functionality sense, not as a policy size optimization.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
prev parent reply other threads:[~2011-09-23 18:09 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-09-23 14:25 [refpolicy] RFC: secure_mode_policyload revision Christopher J. PeBenito
2011-09-23 14:53 ` Russell Coker
2011-09-23 14:58 ` Daniel J Walsh
2011-09-23 15:04 ` Dominick Grift
2011-09-23 15:43 ` Christopher J. PeBenito
2011-09-23 16:15 ` Dominick Grift
2011-09-23 16:35 ` Dominick Grift
2011-09-23 17:37 ` Daniel J Walsh
2011-09-23 18:09 ` Christopher J. PeBenito [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4E7CCB3E.9090805@tresys.com \
--to=cpebenito@tresys.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.