Received: by 2002:a05:6a10:1a4d:0:0:0:0 with SMTP id nk13csp4993520pxb; Sun, 6 Feb 2022 09:58:14 -0800 (PST) X-Google-Smtp-Source: ABdhPJwpE317YRtuaEp8ySEntgFHdr+LzApCJ/VX1+8+mZdAp+s98t4g8DJVO7fMG5iwdbhr+Rw6 X-Received: by 2002:a05:6402:d55:: with SMTP id ec21mr8659366edb.199.1644170294702; Sun, 06 Feb 2022 09:58:14 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1644170294; cv=none; d=google.com; s=arc-20160816; b=Jhr4l237SszUgFMxmuEEgknff78uT+Ll/iWy9V/5eGVNoliqHVk1/jxYQysBglJR0D FUGbPJdHreRPek/bnyAig8W5rT57RsUPGqtXoPpjK+43F71/vCxQ06mChyP4ii44jphM i1h89Q+7mLBB9sSHe56WG5H9nmkPwVy9sVgx1VcovaXgxZharEjNB0hgB8ooljAeWhk1 NZYCHCfM+bGqj41WEKWqf/5vB6Kru1ENRim0+2ybD375ZtTNggFaqubTaw4VJ6Op72wH oCENBfwtgJjOSsfK89qCztdn8F5WiChnBHmBg5nGcz8aSyalsQnmYVL8mf5cEJyfdoD2 ymEw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=IEJV5d9GCiv0U9jsjnOdbMlgXnK+lbK59VAruT73HoY=; b=meJ+14ecdwOVO5ci86r3nld0GLLEwSwe6d5XdNk01W2Kr5IYOA/1mRIvZ/gAH7fbjU wO8fQbPmknRc9+xGM3CsCJhG74j1JDhm98jr7zz6rEAawjkJkGWnQylLhTL2qQYVGLGr Yq62TFGls7c4W8EGJF6BE+jUgizUMyAPa3dwi5MIbD1tvGrvNYpvT5MNQnABrTLyLt6g 5ZZ6KYctQygIhzRKPMY1qawtk/teiruRRoLpSlCFMK8RL9Z9aKE12fO3pnOCogdox+Ld bX1JXKdRd4YFJlyeEF2yqOW2oun51qAfhagOSfWZTZcDJEx/BmtfwnOELg/7lkMoE7CG Cdhg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b=aLqAETqk; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id y3si5082487ejk.567.2022.02.06.09.58.05; Sun, 06 Feb 2022 09:58:14 -0800 (PST) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b=aLqAETqk; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239101AbiBAOOT (ORCPT + 22 others); Tue, 1 Feb 2022 09:14:19 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49826 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239067AbiBAOOS (ORCPT ); Tue, 1 Feb 2022 09:14:18 -0500 Received: from mail-ed1-x531.google.com (mail-ed1-x531.google.com [IPv6:2a00:1450:4864:20::531]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 70B72C061714 for ; Tue, 1 Feb 2022 06:14:18 -0800 (PST) Received: by mail-ed1-x531.google.com with SMTP id c24so34942328edy.4 for ; Tue, 01 Feb 2022 06:14:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20210112.gappssmtp.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=IEJV5d9GCiv0U9jsjnOdbMlgXnK+lbK59VAruT73HoY=; b=aLqAETqkolehhHgQZarnxVFj6pW3R00K111ncFtSAKAFgvR2ZTi7W4ACdcFv+oK3l1 M98/GJafFj/7vVPBXiNs3xSu4M3bzBDJQkhTrxJnOSZrkvtWlaYBqLZuVYtgTIlKapcV yknDUF4gD4XZMzhYa0NPUw7eOtb3A+HIcWLP4OiuqEl3T8UhWe3jVQOJVCKwBo4Nw1uo qaSs8n1aj3InW5qfOKM+LuAuAvKh1ONFbsRWK3KW8R80DCgV9bqLWj1+rN3eEvliMHsa 095/+MEVRqPE5CpDwsKSHz88tS144E9jZUqw978gmFLDiRjojsR6vX4VkNno4TI84ReQ 4wSg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=IEJV5d9GCiv0U9jsjnOdbMlgXnK+lbK59VAruT73HoY=; b=1/vgf35zeg5RxQ8DCMDrFCxOkDz8v2fBLRPUU2UNhcI1zj7SSSEzHPkRJXk6GgIgUl tA8jUqnYHi0fz5feWECfvObrIwomDG2u2LvOZwsmLmmEdD5ocoG2pN8OIyQRrx4Cs0db CF2/MRXjFbLbOzyqvKuNUENtW6JcPeSwKWLHufYIPZ/EEYPT4u4t5KWdcGwrQ+6cAWS6 UfQOve6PnOdNX0YVsd6W0qI9uoHtp+lHqfGcYr/bOCWholNHTKD1ZFe6b+wlijcnDDCe WTRImoW1vGT0W9PUTEMwAc6F4jBOai+tzPc81Hmr3AYkDwRtqpTTf2rqhk5hZoDMXPv+ mTxQ== X-Gm-Message-State: AOAM532rm3VmsqgjbAKbNknTcPC8DDtpnZaRSbG7qplpP8kVwKDI3tQ6 cAZTbANn9VphBVb3veo+R1qfnG/o7pIhcG7z42oa X-Received: by 2002:aa7:dcc9:: with SMTP id w9mr3925393edu.434.1643724856980; Tue, 01 Feb 2022 06:14:16 -0800 (PST) MIME-Version: 1.0 References: <8839796.NKUDOvIH9j@xev> <29a0bce7-0260-f403-a5d2-4a079aa14f3c@linux.microsoft.com> In-Reply-To: <29a0bce7-0260-f403-a5d2-4a079aa14f3c@linux.microsoft.com> From: Paul Moore Date: Tue, 1 Feb 2022 09:14:06 -0500 Message-ID: Subject: Re: kmod and unsigned modules To: Chris PeBenito Cc: russell@coker.com.au, SELinux Reference Policy mailing list Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On Tue, Feb 1, 2022 at 7:34 AM Chris PeBenito wrote: > > On 2/1/2022 04:29, Russell Coker wrote: > > [ 9.002945] audit: type=1400 audit(1643707510.152:4): avc: denied { > > integrity } for pid=371 comm="modprobe" lockdown_reason="unsigned module > > loading" scontext=system_u:system_r:kmod_t:s0 > > tcontext=system_u:system_r:kmod_t:s0 tclass=lockdown permissive=0 > > > > We need to have a boolean for this. Just sending email so I don't forget it. > > Switching to the refpolicy mail list. > > The lockdown checks were removed in 5.16. IMO we should allow all > domains both lockdown permissions until the lockdown class in the policy > is removed. For reference, here is the related discussion thread: https://lore.kernel.org/selinux/163243191040.178880.4295195865966623164.stgit@olly -- paul-moore.com