On 2/1/2022 04:29, Russell Coker wrote:
[ 9.002945] audit: type=1400 audit(1643707510.152:4): avc: denied {
integrity } for pid=371 comm="modprobe" lockdown_reason="unsigned module
loading" scontext=system_u:system_r:kmod_t:s0
tcontext=system_u:system_r:kmod_t:s0 tclass=lockdown permissive=0
We need to have a boolean for this. Just sending email so I don't forget it.
Switching to the refpolicy mail list.
The lockdown checks were removed in 5.16. IMO we should allow all
domains both lockdown permissions until the lockdown class in the policy
is removed.
--
Chris PeBenito