From: pebenito@ieee.org (Chris PeBenito)
Date: Wed, 28 Dec 2016 14:12:42 -0500
Subject: [refpolicy] [PATCH] kernel: never run in unconfined mode
In-Reply-To: <1482939911.3268.1.camel@trentalancia.net>
References: <1482939911.3268.1.camel@trentalancia.net>
Message-ID: <9331838c-58a7-34fe-c69e-0b1803bd9dad@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 12/28/16 10:45, Guido Trentalancia via refpolicy wrote:
> Update the kernel module so that it always runs in confined mode
> and never runs in unconfined mode for maximum security.
>
> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> ---
>  policy/modules/kernel/kernel.te |    4 ----
>  1 file changed, 4 deletions(-)
>
> diff -pru a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
> --- a/policy/modules/kernel/kernel.te	2016-12-27 22:41:00.664390360 +0100
> +++ b/policy/modules/kernel/kernel.te	2016-12-28 16:37:35.176698945 +0100
> @@ -441,10 +441,6 @@ optional_policy(`
>  	seutil_domtrans_setfiles(kernel_t)
>  ')
>
> -optional_policy(`
> -	unconfined_domain_noaudit(kernel_t)
> -')
> -

NAK (see other thread)

-- 
Chris PeBenito