From: dominick.grift@gmail.com (Dominick Grift) Date: Fri, 23 Sep 2011 18:15:05 +0200 Subject: [refpolicy] RFC: secure_mode_policyload revision In-Reply-To: <4E7CA90E.107@tresys.com> References: <4E7C96DF.4000007@tresys.com> <1316790268.1931.36.camel@x220.mydomain.internal> <4E7CA90E.107@tresys.com> Message-ID: <1316794505.1931.37.camel@x220.mydomain.internal> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Fri, 2011-09-23 at 11:43 -0400, Christopher J. PeBenito wrote: > On 09/23/11 11:04, Dominick Grift wrote: > > On Fri, 2011-09-23 at 10:25 -0400, Christopher J. PeBenito wrote: > >> Right now, secure_mode_policyload disables policy loading and Boolean changing. The latter is to prevent secure_mode_policyload from being turned off. I was thinking that secure_mode_policyload could be revised by labeling this Boolean, and then only removing access to it when secure_mode_policyload is enabled, so Booleans can still be toggled, except for secure_mode_policyload. Thoughts? > >> > > > > My thoughts on this are: > > > > Does boolean toggling not involve a policyload? ( I am too lazy to add a > > auditallow rule, but i gather you took that into account so must not be > > the case or policyload must actually not refer to load_policy permission > > ) > > > >> Sep 23 16:58:10 x220 dbus[1511]: avc: received policyload notice (seqno=2) > >> Sep 23 16:58:10 x220 dbus[1138]: avc: received policyload notice (seqno=2) > >> Sep 23 16:58:10 x220 dbus-daemon[1138]: dbus[1138]: avc: received policyload notice (seqno=2) > >> Sep 23 16:58:10 x220 dbus[1138]: [system] Reloaded configuration > >> Sep 23 16:58:10 x220 dbus-daemon[1138]: dbus[1138]: [system] Reloaded configuration > >> Sep 23 16:58:10 x220 setsebool: The xend_run_qemu policy boolean was changed to on by root > > Are you sure you're not doing setsebool -P? That rebuilds the policy. If you skip -P, it shouldn't require a policy load. If it is triggering a policy load, that is a bug. > Erm yes i am using -P how does that affect my argument? -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110923/1d026961/attachment.bin