From: dominick.grift@gmail.com (Dominick Grift) Date: Fri, 23 Sep 2011 17:04:28 +0200 Subject: [refpolicy] RFC: secure_mode_policyload revision In-Reply-To: <4E7C96DF.4000007@tresys.com> References: <4E7C96DF.4000007@tresys.com> Message-ID: <1316790268.1931.36.camel@x220.mydomain.internal> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Fri, 2011-09-23 at 10:25 -0400, Christopher J. PeBenito wrote: > Right now, secure_mode_policyload disables policy loading and Boolean changing. The latter is to prevent secure_mode_policyload from being turned off. I was thinking that secure_mode_policyload could be revised by labeling this Boolean, and then only removing access to it when secure_mode_policyload is enabled, so Booleans can still be toggled, except for secure_mode_policyload. Thoughts? > My thoughts on this are: Does boolean toggling not involve a policyload? ( I am too lazy to add a auditallow rule, but i gather you took that into account so must not be the case or policyload must actually not refer to load_policy permission ) > Sep 23 16:58:10 x220 dbus[1511]: avc: received policyload notice (seqno=2) > Sep 23 16:58:10 x220 dbus[1138]: avc: received policyload notice (seqno=2) > Sep 23 16:58:10 x220 dbus-daemon[1138]: dbus[1138]: avc: received policyload notice (seqno=2) > Sep 23 16:58:10 x220 dbus[1138]: [system] Reloaded configuration > Sep 23 16:58:10 x220 dbus-daemon[1138]: dbus[1138]: [system] Reloaded configuration > Sep 23 16:58:10 x220 setsebool: The xend_run_qemu policy boolean was changed to on by root Besides that i think: > ## > ##

> ## Make the specified type used for labeling SELinux Booleans. > ##

> ##

> ## This makes use of genfscon statements, which are only > ## available in the base module. Thus any module which calls this > ## interface must be included in the base module. > ##

> ##
No big deal in this case because selinux module is in base already. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110923/cc53af8f/attachment.bin