On Sat, 11 Aug 2001, Greg KH wrote: > > Actually, if the SELinux kernel module allows that to happen by _any_ > random user app, then the kernel module has a bug :) > From out-of-band... Can't a security module block it's own removal using the delete_module hook? If not, wouldn't it solve this problem completely to make sure a security module CAN NOT be removed without the module's permission? If two modules need to be primary, failing to remove one prevents the "silent (unknown by application)" change quite effectively. Wait, the module already knows it's being removed... can't it reap any applications in a sleeping/wait state? Additionally, is it likely that admins are going to "swap modules" midstream without a reboot? I don't think it's going to happen in 1/1000000 cases. When *I* change a module, I reboot cycle... just to be *sure* the kernel is in a known state. (Paranoia on the other side.) Confused, J. Melvin Jones P.S. -- You know... refusing to exit is a function that modules can't perform in Linux. If we haven't already caught this, we probably should, so a security module can say "no way!" |>------------------------------------------------------ || J. MELVIN JONES jmjonesat_private |>------------------------------------------------------ || Microcomputer Systems Consultant || Software Developer || Web Site Design, Hosting, and Administration || Network and Systems Administration |>------------------------------------------------------ || http://www.jmjones.com/ |>------------------------------------------------------ _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Sun Aug 12 2001 - 17:09:47 PDT