Received: by 2002:a05:6a10:1a4d:0:0:0:0 with SMTP id nk13csp2739410pxb; Thu, 3 Feb 2022 13:11:44 -0800 (PST) X-Google-Smtp-Source: ABdhPJwZMJOmdKkFN/I39zi5PUxd0GbLggsdH6KP/zaVTtacwz4lQNKe83NM0J0/RLYfX8cDXcyE X-Received: by 2002:a05:6402:787:: with SMTP id d7mr25650edy.390.1643922704690; Thu, 03 Feb 2022 13:11:44 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1643922704; cv=none; d=google.com; s=arc-20160816; b=Ch41Kw3ZbIEdW7lavEpNBua2Mee20Iw4/8MMOnN7bC3hY21Ry91XtYVlWr4LyvIL8O IRRyy8Dq9aAvReQWV5807KEn8oJVs/7skxsSIX3E8NyNGh7qDK1kY92yiq6ZnTIBAOnC 2egcKPwehvEW2VQFlvKcbumZWFVxnYjmg8Qusq1tSebxcidEvn32Tsrz1EKI9qhAT94S yYZixicGELfxWURiXO2HbPjYgIkZQs91QkHKiD1J9zvL8cu5K3Phjdv/x7zgxhhfijT/ LR4s+a8rv/4GVylCw7QjBqjzQzmg6tLgrXTXb2Cj5kL6gPREAt5WcrWOZAuMlmWTgFe6 avhg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:to:content-language:subject:user-agent:mime-version:date :message-id:dkim-signature:dkim-filter; bh=nGW3HqhBhqX2EuVnICCxjGmrKk/VP94AUZ2cZ6Oo3Hk=; b=p85O3LRXPi9gue9jfFGi5Aoezlrk00jQ0uluMOZWO3zGCQpLIJysIlDL+Ua+mRb2Lf QrzlC0ncY1hg1bWwr8ny2J1VEfvRAcM3Yk1xjjqOUiRVYWbzOMqkgdb1pifuceL4vVip ydmN3sooR9M3F353eZthY4emNLn3E9A7y/ZDJAM9kSpyLGcWDm5jB39Bg6dANWp2XqrQ j7rhIQd9iAi++SjZdayKF50Sm2HdjcDj3bojhcLxfTShvMCs/ZnRgONmvCIcE8zMBGjT e8Jd+aSCEgMUkaqm+OD25Iss5ORlI/RIqHMxaI1o/5Sj/uCuaQGHrk0c9T/K4qHYAYdT LV4A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux.microsoft.com header.s=default header.b=EaHgUcWr; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id v13si15091408edc.173.2022.02.03.13.11.36; Thu, 03 Feb 2022 13:11:44 -0800 (PST) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linux.microsoft.com header.s=default header.b=EaHgUcWr; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236277AbiBAMeo (ORCPT + 22 others); Tue, 1 Feb 2022 07:34:44 -0500 Received: from linux.microsoft.com ([13.77.154.182]:58626 "EHLO linux.microsoft.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237872AbiBAMem (ORCPT ); Tue, 1 Feb 2022 07:34:42 -0500 Received: from [192.168.254.13] (unknown [72.85.44.115]) by linux.microsoft.com (Postfix) with ESMTPSA id EA16320B6C61; Tue, 1 Feb 2022 04:34:41 -0800 (PST) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com EA16320B6C61 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1643718882; bh=nGW3HqhBhqX2EuVnICCxjGmrKk/VP94AUZ2cZ6Oo3Hk=; h=Date:Subject:To:References:From:In-Reply-To:From; b=EaHgUcWro9vs5fTY3P1RFW/0SWHfR5kTs0ijPW1Sf5gaWrrbA7jTbA4vXlbPXwC2i J23XfLqse5T2enRRyhxfT0Fy2acB4YSzzU+pAgrYfmt3m7IX2QBD1YQkvftNG3tLSx +amKjvzXrFIz/uw+C4CyV7nJUtR39+W1Z5W0xG/s= Message-ID: <29a0bce7-0260-f403-a5d2-4a079aa14f3c@linux.microsoft.com> Date: Tue, 1 Feb 2022 07:34:40 -0500 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.5.1 Subject: Re: kmod and unsigned modules Content-Language: en-US To: russell@coker.com.au, SELinux Reference Policy mailing list References: <8839796.NKUDOvIH9j@xev> From: Chris PeBenito In-Reply-To: <8839796.NKUDOvIH9j@xev> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 2/1/2022 04:29, Russell Coker wrote: > [ 9.002945] audit: type=1400 audit(1643707510.152:4): avc: denied { > integrity } for pid=371 comm="modprobe" lockdown_reason="unsigned module > loading" scontext=system_u:system_r:kmod_t:s0 > tcontext=system_u:system_r:kmod_t:s0 tclass=lockdown permissive=0 > > We need to have a boolean for this. Just sending email so I don't forget it. Switching to the refpolicy mail list. The lockdown checks were removed in 5.16. IMO we should allow all domains both lockdown permissions until the lockdown class in the policy is removed. -- Chris PeBenito