Re: [PATCH] selinux: measure state and policy capabilities

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sun, Jan 24, 2021 at 12:04 PM Lakshmi Ramasubramanian
<nramas@xxxxxxxxxxxxxxxxxxx> wrote:
> On 1/22/21 1:21 PM, Paul Moore wrote:

...

> >> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> >> index 644b17ec9e63..879a0d90615d 100644
> >> --- a/security/selinux/hooks.c
> >> +++ b/security/selinux/hooks.c
> >> @@ -7407,6 +7408,10 @@ int selinux_disable(struct selinux_state *state)
> >>
> >>          selinux_mark_disabled(state);
> >>
> >> +       mutex_lock(&state->policy_mutex);
> >> +       selinux_ima_measure_state(state);
> >> +       mutex_unlock(&state->policy_mutex);
> >
> > I'm not sure if this affects your decision to include this action in
> > the measurements, but this function is hopefully going away in the not
> > too distant future as we do away with support for disabling SELinux at
> > runtime.
> >
> > FWIW, I'm not sure it's overly useful anyway; you only get here if you
> > never had any SELinux policy/state configured and you decide to
> > disable SELinux instead of loading a policy.  However, I've got no
> > objection to this code.
>
> If support for disabling SELinux at runtime will be removed, then I
> don't see a reason to trigger a measurement here. I'll remove this
> measurement.

It's currently marked as deprecated, see
Documentation/ABI/obsolete/sysfs-selinux-disable.

-- 
paul moore
www.paul-moore.com



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux Kernel]     [Linux Kernel Hardening]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux