From: aranea@aixah.de (Luis Ressel)
Date: Tue, 18 Feb 2014 19:13:28 +0100
Subject: [refpolicy] kmod
In-Reply-To: <20131113172744.356c16a5@gentp.lnet>
References: <20131109143209.2fe65eb6@gentp.lnet> <5283907A.5020902@tresys.com>
	<20131113172744.356c16a5@gentp.lnet>
Message-ID: <20140218191328.0119e123@gentp.lnet>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Wed, 13 Nov 2013 17:27:44 +0100
Luis Ressel <aranea@aixah.de> wrote:

> I followed option 3 on my systems. I think SELinux-using distros would
> accept this change, as it's both the simplest and the most secure
> solution. I'll also try to upstream it in the next days.
> 
> The only change to the policy required by my approach is
> "modutils_exec_insmod(depmod_t)", as /sbin/depmod, now tagged
> depmod_t, needs to be able to execute /bin/kmod (insmod_t) in its own
> domain.

I now contacted upstream about this. They came up with an even simpler
approach: cp /bin/kmod /sbin/depmod

No policy changes are required for this, it can be easily done by
distributions.


Regards,
Luis Ressel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 966 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20140218/4c1743f8/attachment.bin