From: guido@trentalancia.net (Guido Trentalancia) Date: Wed, 28 Dec 2016 16:45:11 +0100 Subject: [refpolicy] [PATCH] kernel: never run in unconfined mode Message-ID: <1482939911.3268.1.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Update the kernel module so that it always runs in confined mode and never runs in unconfined mode for maximum security. Signed-off-by: Guido Trentalancia --- policy/modules/kernel/kernel.te | 4 ---- 1 file changed, 4 deletions(-) diff -pru a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te --- a/policy/modules/kernel/kernel.te 2016-12-27 22:41:00.664390360 +0100 +++ b/policy/modules/kernel/kernel.te 2016-12-28 16:37:35.176698945 +0100 @@ -441,10 +441,6 @@ optional_policy(` seutil_domtrans_setfiles(kernel_t) ') -optional_policy(` - unconfined_domain_noaudit(kernel_t) -') - ######################################## # # Unlabeled process local policy