From: pebenito@ieee.org (Chris PeBenito) Date: Wed, 28 Dec 2016 14:12:42 -0500 Subject: [refpolicy] [PATCH] kernel: never run in unconfined mode In-Reply-To: <1482939911.3268.1.camel@trentalancia.net> References: <1482939911.3268.1.camel@trentalancia.net> Message-ID: <9331838c-58a7-34fe-c69e-0b1803bd9dad@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 12/28/16 10:45, Guido Trentalancia via refpolicy wrote: > Update the kernel module so that it always runs in confined mode > and never runs in unconfined mode for maximum security. > > Signed-off-by: Guido Trentalancia > --- > policy/modules/kernel/kernel.te | 4 ---- > 1 file changed, 4 deletions(-) > > diff -pru a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te > --- a/policy/modules/kernel/kernel.te 2016-12-27 22:41:00.664390360 +0100 > +++ b/policy/modules/kernel/kernel.te 2016-12-28 16:37:35.176698945 +0100 > @@ -441,10 +441,6 @@ optional_policy(` > seutil_domtrans_setfiles(kernel_t) > ') > > -optional_policy(` > - unconfined_domain_noaudit(kernel_t) > -') > - NAK (see other thread) -- Chris PeBenito