russell at coker.com.au
Sat Sep 17 12:35:29 UTC 2005
On Tuesday 13 September 2005 01:00, Stephen Smalley <sds at tycho.nsa.gov> wrote:
> > NB Setting secure_mode_policyload to default to 1 at boot time will
> > work, but that means policy can only be loaded once at boot (should be
> > able to install new policy and reboot the machine though). Setting
> > secure_mode_insmod at boot will probably make the boot process fail for
> > all non-trivial machines, the initial values of booleans are set before
> > modules for devices such as Ethernet cards. Setting secure_mode_insmod
> > after the boot process is completed might be a good idea if you have no
> > plans to use USB or Cardbus/PCMCIA, there have been exploits which relied
> > on the ability to trick the system into loading modules (EG the ptrace
> > exploit).
> Did you attach the wrong patch? The one you sent doesn't define new
> booleans; it just wraps additional rules with the existing secure_mode
I attached the patch, re-worked it, and then forgot to attach the new patch.
The correct patch is attached to this message.
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3137 bytes
Desc: not available
More information about the fedora-selinux-list