On Tue, Feb 1, 2022 at 7:34 AM Chris PeBenito
<chpebeni@xxxxxxxxxxxxxxxxxxx> wrote:
>
> On 2/1/2022 04:29, Russell Coker wrote:
> > [ 9.002945] audit: type=1400 audit(1643707510.152:4): avc: denied {
> > integrity } for pid=371 comm="modprobe" lockdown_reason="unsigned module
> > loading" scontext=system_u:system_r:kmod_t:s0
> > tcontext=system_u:system_r:kmod_t:s0 tclass=lockdown permissive=0
> >
> > We need to have a boolean for this. Just sending email so I don't forget it.
>
> Switching to the refpolicy mail list.
>
> The lockdown checks were removed in 5.16. IMO we should allow all
> domains both lockdown permissions until the lockdown class in the policy
> is removed.
For reference, here is the related discussion thread:
https://lore.kernel.org/selinux/163243191040.178880.4295195865966623164.stgit@olly
--
paul-moore.com
