* Re: kmod and unsigned modules
[not found] <8839796.NKUDOvIH9j@xev>
@ 2022-02-01 12:34 ` Chris PeBenito
2022-02-01 14:14 ` Paul Moore
0 siblings, 1 reply; 2+ messages in thread
From: Chris PeBenito @ 2022-02-01 12:34 UTC (permalink / raw)
To: russell, SELinux Reference Policy mailing list
On 2/1/2022 04:29, Russell Coker wrote:
> [ 9.002945] audit: type=1400 audit(1643707510.152:4): avc: denied {
> integrity } for pid=371 comm="modprobe" lockdown_reason="unsigned module
> loading" scontext=system_u:system_r:kmod_t:s0
> tcontext=system_u:system_r:kmod_t:s0 tclass=lockdown permissive=0
>
> We need to have a boolean for this. Just sending email so I don't forget it.
Switching to the refpolicy mail list.
The lockdown checks were removed in 5.16. IMO we should allow all
domains both lockdown permissions until the lockdown class in the policy
is removed.
--
Chris PeBenito
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: kmod and unsigned modules
2022-02-01 12:34 ` kmod and unsigned modules Chris PeBenito
@ 2022-02-01 14:14 ` Paul Moore
0 siblings, 0 replies; 2+ messages in thread
From: Paul Moore @ 2022-02-01 14:14 UTC (permalink / raw)
To: Chris PeBenito; +Cc: russell, SELinux Reference Policy mailing list
On Tue, Feb 1, 2022 at 7:34 AM Chris PeBenito
<chpebeni@linux.microsoft.com> wrote:
>
> On 2/1/2022 04:29, Russell Coker wrote:
> > [ 9.002945] audit: type=1400 audit(1643707510.152:4): avc: denied {
> > integrity } for pid=371 comm="modprobe" lockdown_reason="unsigned module
> > loading" scontext=system_u:system_r:kmod_t:s0
> > tcontext=system_u:system_r:kmod_t:s0 tclass=lockdown permissive=0
> >
> > We need to have a boolean for this. Just sending email so I don't forget it.
>
> Switching to the refpolicy mail list.
>
> The lockdown checks were removed in 5.16. IMO we should allow all
> domains both lockdown permissions until the lockdown class in the policy
> is removed.
For reference, here is the related discussion thread:
https://lore.kernel.org/selinux/163243191040.178880.4295195865966623164.stgit@olly
--
paul-moore.com
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-02-01 14:14 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <8839796.NKUDOvIH9j@xev>
2022-02-01 12:34 ` kmod and unsigned modules Chris PeBenito
2022-02-01 14:14 ` Paul Moore
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).