From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Fri, 23 Sep 2011 14:09:02 -0400 Subject: [refpolicy] RFC: secure_mode_policyload revision In-Reply-To: <4E7CC3E5.2030600@redhat.com> References: <4E7C96DF.4000007@tresys.com> <1316790268.1931.36.camel@x220.mydomain.internal> <4E7CA90E.107@tresys.com> <1316795704.1931.41.camel@x220.mydomain.internal> <4E7CC3E5.2030600@redhat.com> Message-ID: <4E7CCB3E.9090805@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 9/23/2011 1:37 PM, Daniel J Walsh wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 09/23/2011 12:35 PM, Dominick Grift wrote: >> On Fri, 2011-09-23 at 11:43 -0400, Christopher J. PeBenito wrote: >>> On 09/23/11 11:04, Dominick Grift wrote: >>>> On Fri, 2011-09-23 at 10:25 -0400, Christopher J. PeBenito >>>> wrote: >>>>> Right now, secure_mode_policyload disables policy loading and >>>>> Boolean changing. The latter is to prevent >>>>> secure_mode_policyload from being turned off. I was thinking >>>>> that secure_mode_policyload could be revised by labeling this >>>>> Boolean, and then only removing access to it when >>>>> secure_mode_policyload is enabled, so Booleans can still be >>>>> toggled, except for secure_mode_policyload. Thoughts? >>>>> >>>> >>>> My thoughts on this are: >>>> >>>> Does boolean toggling not involve a policyload? ( I am too lazy >>>> to add a auditallow rule, but i gather you took that into >>>> account so must not be the case or policyload must actually not >>>> refer to load_policy permission ) >>>> >>>>> Sep 23 16:58:10 x220 dbus[1511]: avc: received policyload >>>>> notice (seqno=2) Sep 23 16:58:10 x220 dbus[1138]: avc: >>>>> received policyload notice (seqno=2) Sep 23 16:58:10 x220 >>>>> dbus-daemon[1138]: dbus[1138]: avc: received policyload >>>>> notice (seqno=2) Sep 23 16:58:10 x220 dbus[1138]: [system] >>>>> Reloaded configuration Sep 23 16:58:10 x220 >>>>> dbus-daemon[1138]: dbus[1138]: [system] Reloaded >>>>> configuration Sep 23 16:58:10 x220 setsebool: The >>>>> xend_run_qemu policy boolean was changed to on by root >>> >>> Are you sure you're not doing setsebool -P? That rebuilds the >>> policy. If you skip -P, it shouldn't require a policy load. If >>> it is triggering a policy load, that is a bug. >>> >> >> I guess you are saying that booleans without -P can be toggled but >> not with -P. >> >> I cannot remember the last time i used setsebool without -P, but >> ok. Precisely why I always pushed for real tunables. Booleans were supposed to be more transient. >> Pretty insignificant change in my view. Might be confusing for a >> sysadm but then again, if one uses that boolean one is probably >> familiar with SELinux. > > We might be eventually moving to tunables/booleans which will drop the > number of booleans to about 4. Perhaps making this change mute. Actually, I was thinking about this in a pure functionality sense, not as a policy size optimization. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com