|
Message-ID: <bff5442e-9ecd-9493-7397-7030ade63e81@huawei.com> Date: Tue, 6 Jun 2017 17:51:26 +0300 From: Igor Stoppa <igor.stoppa@...wei.com> To: Tetsuo Handa <penguin-kernel@...ove.SAKURA.ne.jp>, <casey@...aufler-ca.com>, <keescook@...omium.org>, <mhocko@...nel.org>, <jmorris@...ei.org> CC: <paul@...l-moore.com>, <sds@...ho.nsa.gov>, <hch@...radead.org>, <labbott@...hat.com>, <linux-mm@...ck.org>, <linux-kernel@...r.kernel.org>, <kernel-hardening@...ts.openwall.com> Subject: Re: [PATCH 4/5] Make LSM Writable Hooks a command line option On 06/06/17 17:36, Tetsuo Handa wrote: > Igor Stoppa wrote: >> For the case at hand, would it work if there was a non-API call that you >> could use until the API is properly expanded? > > Kernel command line switching (i.e. this patch) is fine for my use cases. > > SELinux folks might want > > -static int security_debug; > +static int security_debug = IS_ENABLED(CONFIG_SECURITY_SELINUX_DISABLE); ok, thanks, I will add this > so that those who are using SELINUX=disabled in /etc/selinux/config won't > get oops upon boot by default. If "unlock the pool" were available, > SELINUX=enforcing users would be happy. Maybe two modes for rw/ro transition helps. > > oneway rw -> ro transition mode: can't be made rw again by calling "unlock the pool" API > twoway rw <-> ro transition mode: can be made rw again by calling "unlock the pool" API This was in the first cut of the API, but I was told that it would require further rework, to make it ok for upstream, so we agreed to do first the lockdown/destroy only part and the the rewrite. Is there really a valid use case for unloading SE Linux? Or any other security module. -- igor
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.