From: Rusty Russell <rusty@rustcorp.com.au>
To: Eric Paris <eparis@redhat.com>
Cc: Alan Jenkins <sourcejedi.lkml@googlemail.com>,
linux-kernel@vger.kernel.org, arjan@infradead.org,
randy.dunlap@oracle.com, andi@firstfloor.org,
dhowells@redhat.com, akpm@linux-foundation.org
Subject: Re: request_module vs. modprobe blacklist (and security subsystem implications)
Date: Thu, 22 Oct 2009 16:26:49 +1030 [thread overview]
Message-ID: <200910221626.51170.rusty@rustcorp.com.au> (raw)
In-Reply-To: <1256153248.4443.49.camel@dhcp231-106.rdu.redhat.com>
On Thu, 22 Oct 2009 05:57:28 am Eric Paris wrote:
> Ah yes, not your fault though :) The problem is that SELinux reports
> these denials and users get scared. We can (and now do) silence all of
> these SELinux caused denials, but now we have no notification if a
> malicious program tried to cause the auto loading of a module.
Well, yes. I think you need to be more careful in your filtering.
If a userspace program tries some security exploit that has been closed, do
you want to warn about it? Because that seems to be the question here.
Why should ssh not load IPv6? Because noone should? Fine, but there's a
difference between "I expect it to do this but I won't let it" and "I don't
expect it to do this".
I think the question is bigger than modprobe.conf vs request_module.
Or am I confused?
Rusty.
next prev parent reply other threads:[~2009-10-22 5:56 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-10-21 15:02 request_module vs. modprobe blacklist (and security subsystem implications) Eric Paris
2009-10-21 19:11 ` Alan Jenkins
2009-10-21 19:27 ` Eric Paris
2009-10-21 21:00 ` Alan Jenkins
2009-10-22 5:56 ` Rusty Russell [this message]
2009-10-22 14:30 ` Eric Paris
2009-10-23 9:16 ` Rusty Russell
2009-10-23 14:23 ` Eric Paris
2009-10-23 14:59 ` Rusty Russell
2009-10-22 0:48 ` Andi Kleen
2009-10-22 1:12 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200910221626.51170.rusty@rustcorp.com.au \
--to=rusty@rustcorp.com.au \
--cc=akpm@linux-foundation.org \
--cc=andi@firstfloor.org \
--cc=arjan@infradead.org \
--cc=dhowells@redhat.com \
--cc=eparis@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=randy.dunlap@oracle.com \
--cc=sourcejedi.lkml@googlemail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox