Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 6 Jun 2017 17:51:26 +0300
From: Igor Stoppa <>
To: Tetsuo Handa <>,
        <>, <>, <>,
CC: <>, <>, <>,
        <>, <>,
        <>, <>
Subject: Re: [PATCH 4/5] Make LSM Writable Hooks a command line option

On 06/06/17 17:36, Tetsuo Handa wrote:
> Igor Stoppa wrote:
>> For the case at hand, would it work if there was a non-API call that you
>> could use until the API is properly expanded?
> Kernel command line switching (i.e. this patch) is fine for my use cases.
> SELinux folks might want
> -static int security_debug;
> +static int security_debug = IS_ENABLED(CONFIG_SECURITY_SELINUX_DISABLE);

ok, thanks, I will add this

> so that those who are using SELINUX=disabled in /etc/selinux/config won't
> get oops upon boot by default. If "unlock the pool" were available,
> SELINUX=enforcing users would be happy. Maybe two modes for rw/ro transition helps.
>   oneway rw -> ro transition mode: can't be made rw again by calling "unlock the pool" API
>   twoway rw <-> ro transition mode: can be made rw again by calling "unlock the pool" API

This was in the first cut of the API, but I was told that it would
require further rework, to make it ok for upstream, so we agreed to do
first the lockdown/destroy only part and the the rewrite.

Is there really a valid use case for unloading SE Linux?
Or any other security module.


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.