Received: by 2002:a05:6a10:1a4d:0:0:0:0 with SMTP id nk13csp2739410pxb;
        Thu, 3 Feb 2022 13:11:44 -0800 (PST)
X-Google-Smtp-Source: ABdhPJwZMJOmdKkFN/I39zi5PUxd0GbLggsdH6KP/zaVTtacwz4lQNKe83NM0J0/RLYfX8cDXcyE
X-Received: by 2002:a05:6402:787:: with SMTP id d7mr25650edy.390.1643922704690;
        Thu, 03 Feb 2022 13:11:44 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1643922704; cv=none;
        d=google.com; s=arc-20160816;
        b=Ch41Kw3ZbIEdW7lavEpNBua2Mee20Iw4/8MMOnN7bC3hY21Ry91XtYVlWr4LyvIL8O
         IRRyy8Dq9aAvReQWV5807KEn8oJVs/7skxsSIX3E8NyNGh7qDK1kY92yiq6ZnTIBAOnC
         2egcKPwehvEW2VQFlvKcbumZWFVxnYjmg8Qusq1tSebxcidEvn32Tsrz1EKI9qhAT94S
         yYZixicGELfxWURiXO2HbPjYgIkZQs91QkHKiD1J9zvL8cu5K3Phjdv/x7zgxhhfijT/
         LR4s+a8rv/4GVylCw7QjBqjzQzmg6tLgrXTXb2Cj5kL6gPREAt5WcrWOZAuMlmWTgFe6
         avhg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:in-reply-to:from
         :references:to:content-language:subject:user-agent:mime-version:date
         :message-id:dkim-signature:dkim-filter;
        bh=nGW3HqhBhqX2EuVnICCxjGmrKk/VP94AUZ2cZ6Oo3Hk=;
        b=p85O3LRXPi9gue9jfFGi5Aoezlrk00jQ0uluMOZWO3zGCQpLIJysIlDL+Ua+mRb2Lf
         QrzlC0ncY1hg1bWwr8ny2J1VEfvRAcM3Yk1xjjqOUiRVYWbzOMqkgdb1pifuceL4vVip
         ydmN3sooR9M3F353eZthY4emNLn3E9A7y/ZDJAM9kSpyLGcWDm5jB39Bg6dANWp2XqrQ
         j7rhIQd9iAi++SjZdayKF50Sm2HdjcDj3bojhcLxfTShvMCs/ZnRgONmvCIcE8zMBGjT
         e8Jd+aSCEgMUkaqm+OD25Iss5ORlI/RIqHMxaI1o/5Sj/uCuaQGHrk0c9T/K4qHYAYdT
         LV4A==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linux.microsoft.com header.s=default header.b=EaHgUcWr;
       spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com
Return-Path: <selinux-refpolicy-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id v13si15091408edc.173.2022.02.03.13.11.36;
        Thu, 03 Feb 2022 13:11:44 -0800 (PST)
Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linux.microsoft.com header.s=default header.b=EaHgUcWr;
       spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S236277AbiBAMeo (ORCPT <rfc822;linux.lists.archive@gmail.com>
        + 22 others); Tue, 1 Feb 2022 07:34:44 -0500
Received: from linux.microsoft.com ([13.77.154.182]:58626 "EHLO
        linux.microsoft.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S237872AbiBAMem (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Tue, 1 Feb 2022 07:34:42 -0500
Received: from [192.168.254.13] (unknown [72.85.44.115])
        by linux.microsoft.com (Postfix) with ESMTPSA id EA16320B6C61;
        Tue,  1 Feb 2022 04:34:41 -0800 (PST)
DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com EA16320B6C61
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com;
        s=default; t=1643718882;
        bh=nGW3HqhBhqX2EuVnICCxjGmrKk/VP94AUZ2cZ6Oo3Hk=;
        h=Date:Subject:To:References:From:In-Reply-To:From;
        b=EaHgUcWro9vs5fTY3P1RFW/0SWHfR5kTs0ijPW1Sf5gaWrrbA7jTbA4vXlbPXwC2i
         J23XfLqse5T2enRRyhxfT0Fy2acB4YSzzU+pAgrYfmt3m7IX2QBD1YQkvftNG3tLSx
         +amKjvzXrFIz/uw+C4CyV7nJUtR39+W1Z5W0xG/s=
Message-ID: <29a0bce7-0260-f403-a5d2-4a079aa14f3c@linux.microsoft.com>
Date:   Tue, 1 Feb 2022 07:34:40 -0500
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101
 Thunderbird/91.5.1
Subject: Re: kmod and unsigned modules
Content-Language: en-US
To:     russell@coker.com.au,
        SELinux Reference Policy mailing list 
        <selinux-refpolicy@vger.kernel.org>
References: <8839796.NKUDOvIH9j@xev>
From:   Chris PeBenito <chpebeni@linux.microsoft.com>
In-Reply-To: <8839796.NKUDOvIH9j@xev>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

On 2/1/2022 04:29, Russell Coker wrote:
> [    9.002945] audit: type=1400 audit(1643707510.152:4): avc:  denied  {
> integrity } for  pid=371 comm="modprobe" lockdown_reason="unsigned module
> loading" scontext=system_u:system_r:kmod_t:s0
> tcontext=system_u:system_r:kmod_t:s0 tclass=lockdown permissive=0
> 
> We need to have a boolean for this.  Just sending email so I don't forget it.

Switching to the refpolicy mail list.

The lockdown checks were removed in 5.16.  IMO we should allow all 
domains both lockdown permissions until the lockdown class in the policy 
is removed.


--
Chris PeBenito