From: dominick.grift@gmail.com (Dominick Grift)
Date: Fri, 23 Sep 2011 18:35:04 +0200
Subject: [refpolicy] RFC: secure_mode_policyload revision
In-Reply-To: <4E7CA90E.107@tresys.com>
References: <4E7C96DF.4000007@tresys.com>
	<1316790268.1931.36.camel@x220.mydomain.internal>
	<4E7CA90E.107@tresys.com>
Message-ID: <1316795704.1931.41.camel@x220.mydomain.internal>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Fri, 2011-09-23 at 11:43 -0400, Christopher J. PeBenito wrote:
> On 09/23/11 11:04, Dominick Grift wrote:
> > On Fri, 2011-09-23 at 10:25 -0400, Christopher J. PeBenito wrote:
> >> Right now, secure_mode_policyload disables policy loading and Boolean changing.  The latter is to prevent secure_mode_policyload from being turned off.  I was thinking that secure_mode_policyload could be revised by labeling this Boolean, and then only removing access to it when secure_mode_policyload is enabled, so Booleans can still be toggled, except for secure_mode_policyload.  Thoughts?
> >>
> > 
> > My thoughts on this are:
> > 
> > Does boolean toggling not involve a policyload? ( I am too lazy to add a
> > auditallow rule, but i gather you took that into account so must not be
> > the case or policyload must actually not refer to load_policy permission
> > ) 
> > 
> >> Sep 23 16:58:10 x220 dbus[1511]: avc:  received policyload notice (seqno=2)
> >> Sep 23 16:58:10 x220 dbus[1138]: avc:  received policyload notice (seqno=2)
> >> Sep 23 16:58:10 x220 dbus-daemon[1138]: dbus[1138]: avc:  received policyload notice (seqno=2)
> >> Sep 23 16:58:10 x220 dbus[1138]: [system] Reloaded configuration
> >> Sep 23 16:58:10 x220 dbus-daemon[1138]: dbus[1138]: [system] Reloaded configuration
> >> Sep 23 16:58:10 x220 setsebool: The xend_run_qemu policy boolean was changed to on by root
> 
> Are you sure you're not doing setsebool -P?  That rebuilds the policy.  If you skip -P, it shouldn't require a policy load.  If it is triggering a policy load, that is a bug.
> 

I guess you are saying that booleans without -P can be toggled but not
with -P.

I cannot remember the last time i used setsebool without -P, but ok.

Pretty insignificant change in my view. Might be confusing for a sysadm
but then again, if one uses that boolean one is probably familiar with
SELinux.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110923/8bfd62da/attachment.bin