2022-02-03 21:11:44

by Chris PeBenito

[permalink] [raw]
Subject: Re: kmod and unsigned modules

On 2/1/2022 04:29, Russell Coker wrote:
> [ 9.002945] audit: type=1400 audit(1643707510.152:4): avc: denied {
> integrity } for pid=371 comm="modprobe" lockdown_reason="unsigned module
> loading" scontext=system_u:system_r:kmod_t:s0
> tcontext=system_u:system_r:kmod_t:s0 tclass=lockdown permissive=0
>
> We need to have a boolean for this. Just sending email so I don't forget it.

Switching to the refpolicy mail list.

The lockdown checks were removed in 5.16. IMO we should allow all
domains both lockdown permissions until the lockdown class in the policy
is removed.


--
Chris PeBenito


2022-02-06 17:58:14

by Paul Moore

[permalink] [raw]
Subject: Re: kmod and unsigned modules

On Tue, Feb 1, 2022 at 7:34 AM Chris PeBenito
<[email protected]> wrote:
>
> On 2/1/2022 04:29, Russell Coker wrote:
> > [ 9.002945] audit: type=1400 audit(1643707510.152:4): avc: denied {
> > integrity } for pid=371 comm="modprobe" lockdown_reason="unsigned module
> > loading" scontext=system_u:system_r:kmod_t:s0
> > tcontext=system_u:system_r:kmod_t:s0 tclass=lockdown permissive=0
> >
> > We need to have a boolean for this. Just sending email so I don't forget it.
>
> Switching to the refpolicy mail list.
>
> The lockdown checks were removed in 5.16. IMO we should allow all
> domains both lockdown permissions until the lockdown class in the policy
> is removed.

For reference, here is the related discussion thread:

https://lore.kernel.org/selinux/[email protected]

--
paul-moore.com