-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/06/2011 07:51 PM, Mark Montague wrote:
> Under selinux-policy-3.9.7-7.fc14 and previous, udev was able to load
> kernel modules even when secure_mode_insmod=on Starting with the next
> policy release, 3.9.7-10.fc14, this fails, resulting in the ethernet
> device not being configured when the system boots; no denial is logged.
>
> Setting secure_mode_insmod=off and rebooting results in a working
> system, but allows other restricted domains to load kernel modules --
> which is a shame since I also have unconfined_login=off and
> secure_mode=on. So I added a local module with the following rule in
> order to get the 3.9.7-7.fc14 behavior with secure_mode_insmod=on. (The
> seemingly superfluous enclosing "if" is needed to avoid a duplicate rule
> error).
>
> if (secure_mode_insmod) {
> modutils_domtrans_insmod_uncond(udev_t)
> }
>
> My question is: what is the desired behavior for future policy
> releases? Should secure_mode_insmod=on affect udev as it currently does
> under 3.9.7-10.fc14 and later? (A literal reading of the description
> for this boolean implies it should). Or should a new boolean be added
> (off by default) to allow administrators to have udev load kernel
> modules even when secure_mode_insmod=on? Or something else?
>
> Apologies if this is actually a non-issue due to lack of understanding
> on my end (but any education would be welcome in that case!)
>
> --
> Mark Montague
> mark at catseye.org
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
Lets ask this on refpolicy list, to see if we can get consensus
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk0nL8sACgkQrlYvE4MpobOqdgCdG4Vn8hVcg+qDSp3qPCp9gcpi
ikMAnjZzQU+F9xaqBB7ujZcdWpt+STsp
=M2Xx
-----END PGP SIGNATURE-----