Re: kmod and unsigned modules

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Feb 1, 2022 at 7:34 AM Chris PeBenito
<chpebeni@xxxxxxxxxxxxxxxxxxx> wrote:
>
> On 2/1/2022 04:29, Russell Coker wrote:
> > [    9.002945] audit: type=1400 audit(1643707510.152:4): avc:  denied  {
> > integrity } for  pid=371 comm="modprobe" lockdown_reason="unsigned module
> > loading" scontext=system_u:system_r:kmod_t:s0
> > tcontext=system_u:system_r:kmod_t:s0 tclass=lockdown permissive=0
> >
> > We need to have a boolean for this.  Just sending email so I don't forget it.
>
> Switching to the refpolicy mail list.
>
> The lockdown checks were removed in 5.16.  IMO we should allow all
> domains both lockdown permissions until the lockdown class in the policy
> is removed.

For reference, here is the related discussion thread:

https://lore.kernel.org/selinux/163243191040.178880.4295195865966623164.stgit@olly

-- 
paul-moore.com



[Index of Archives]     [AMD Graphics]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux