From: dwalsh@redhat.com (Daniel J Walsh) Date: Fri, 23 Sep 2011 13:37:41 -0400 Subject: [refpolicy] RFC: secure_mode_policyload revision In-Reply-To: <1316795704.1931.41.camel@x220.mydomain.internal> References: <4E7C96DF.4000007@tresys.com> <1316790268.1931.36.camel@x220.mydomain.internal> <4E7CA90E.107@tresys.com> <1316795704.1931.41.camel@x220.mydomain.internal> Message-ID: <4E7CC3E5.2030600@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/23/2011 12:35 PM, Dominick Grift wrote: > On Fri, 2011-09-23 at 11:43 -0400, Christopher J. PeBenito wrote: >> On 09/23/11 11:04, Dominick Grift wrote: >>> On Fri, 2011-09-23 at 10:25 -0400, Christopher J. PeBenito >>> wrote: >>>> Right now, secure_mode_policyload disables policy loading and >>>> Boolean changing. The latter is to prevent >>>> secure_mode_policyload from being turned off. I was thinking >>>> that secure_mode_policyload could be revised by labeling this >>>> Boolean, and then only removing access to it when >>>> secure_mode_policyload is enabled, so Booleans can still be >>>> toggled, except for secure_mode_policyload. Thoughts? >>>> >>> >>> My thoughts on this are: >>> >>> Does boolean toggling not involve a policyload? ( I am too lazy >>> to add a auditallow rule, but i gather you took that into >>> account so must not be the case or policyload must actually not >>> refer to load_policy permission ) >>> >>>> Sep 23 16:58:10 x220 dbus[1511]: avc: received policyload >>>> notice (seqno=2) Sep 23 16:58:10 x220 dbus[1138]: avc: >>>> received policyload notice (seqno=2) Sep 23 16:58:10 x220 >>>> dbus-daemon[1138]: dbus[1138]: avc: received policyload >>>> notice (seqno=2) Sep 23 16:58:10 x220 dbus[1138]: [system] >>>> Reloaded configuration Sep 23 16:58:10 x220 >>>> dbus-daemon[1138]: dbus[1138]: [system] Reloaded >>>> configuration Sep 23 16:58:10 x220 setsebool: The >>>> xend_run_qemu policy boolean was changed to on by root >> >> Are you sure you're not doing setsebool -P? That rebuilds the >> policy. If you skip -P, it shouldn't require a policy load. If >> it is triggering a policy load, that is a bug. >> > > I guess you are saying that booleans without -P can be toggled but > not with -P. > > I cannot remember the last time i used setsebool without -P, but > ok. > > Pretty insignificant change in my view. Might be confusing for a > sysadm but then again, if one uses that boolean one is probably > familiar with SELinux. > > > > _______________________________________________ refpolicy mailing > list refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy We might be eventually moving to tunables/booleans which will drop the number of booleans to about 4. Perhaps making this change mute. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk58w+QACgkQrlYvE4MpobOlpgCgvOFWqUr38WIH05f/37WU1jeV kLoAni2niq/5eLBHpP3cZqfazGSMuMx+ =/Ibz -----END PGP SIGNATURE-----