On Wed, 2004-06-30 at 01:21, Arjan van de Ven wrote: > Hi, > > as will be able to see in todays rawhide, we're experimenting with > adding a patch for gpg-signed kernel modules. The idea behind this is > for the administrator to *optionally* [1] restrict the set of modules > that can be linked into the kernel. In selinux context one can even > eventually allow different security contexts to load different subsets > of modules, by restricting certain contexts to a predefined gpg keys > only. > > The work isn't complete yet by far, this is just a heads up. Input for > creative uses of this infrastructure is welcome :) I have a long list of machines that would love this.. especially if it can be worked into not voiding a RHEL contract in the future :). Basically, there is always a class of machines that may be RHEL that have to split between getting support and being able to show that kernel cant be easily tampered with while running. [Now to just figure out how to get some of the advanced patch-o-matic patches in for connection tracking and not void my RHEL support ;)] -- Stephen John Smoogen smoogen@xxxxxxxx Los Alamos National Lab CCN-5 Sched 5/40 PH: 4-0645 Ta-03 SM-1498 MailStop B255 DP 10S Los Alamos, NM 87545 -- Please, I have had too much of the stupid today. Please wait until -- tomorrow to say these things so my tolerance has refreshed.
