selinux-refpolicy.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* Re: kmod and unsigned modules
       [not found] <8839796.NKUDOvIH9j@xev>
@ 2022-02-01 12:34 ` Chris PeBenito
  2022-02-01 14:14   ` Paul Moore
  0 siblings, 1 reply; 2+ messages in thread
From: Chris PeBenito @ 2022-02-01 12:34 UTC (permalink / raw)
  To: russell, SELinux Reference Policy mailing list

On 2/1/2022 04:29, Russell Coker wrote:
> [    9.002945] audit: type=1400 audit(1643707510.152:4): avc:  denied  {
> integrity } for  pid=371 comm="modprobe" lockdown_reason="unsigned module
> loading" scontext=system_u:system_r:kmod_t:s0
> tcontext=system_u:system_r:kmod_t:s0 tclass=lockdown permissive=0
> 
> We need to have a boolean for this.  Just sending email so I don't forget it.

Switching to the refpolicy mail list.

The lockdown checks were removed in 5.16.  IMO we should allow all 
domains both lockdown permissions until the lockdown class in the policy 
is removed.


--
Chris PeBenito

^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: kmod and unsigned modules
  2022-02-01 12:34 ` kmod and unsigned modules Chris PeBenito
@ 2022-02-01 14:14   ` Paul Moore
  0 siblings, 0 replies; 2+ messages in thread
From: Paul Moore @ 2022-02-01 14:14 UTC (permalink / raw)
  To: Chris PeBenito; +Cc: russell, SELinux Reference Policy mailing list

On Tue, Feb 1, 2022 at 7:34 AM Chris PeBenito
<chpebeni@linux.microsoft.com> wrote:
>
> On 2/1/2022 04:29, Russell Coker wrote:
> > [    9.002945] audit: type=1400 audit(1643707510.152:4): avc:  denied  {
> > integrity } for  pid=371 comm="modprobe" lockdown_reason="unsigned module
> > loading" scontext=system_u:system_r:kmod_t:s0
> > tcontext=system_u:system_r:kmod_t:s0 tclass=lockdown permissive=0
> >
> > We need to have a boolean for this.  Just sending email so I don't forget it.
>
> Switching to the refpolicy mail list.
>
> The lockdown checks were removed in 5.16.  IMO we should allow all
> domains both lockdown permissions until the lockdown class in the policy
> is removed.

For reference, here is the related discussion thread:

https://lore.kernel.org/selinux/163243191040.178880.4295195865966623164.stgit@olly

-- 
paul-moore.com

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-02-01 14:14 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
     [not found] <8839796.NKUDOvIH9j@xev>
2022-02-01 12:34 ` kmod and unsigned modules Chris PeBenito
2022-02-01 14:14   ` Paul Moore

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).