Re: [PATCH][RFC] Remove kmod_set_label hook

• Previous message: Russell Coker: "Re: [PATCH][RFC] Remove kmod_set_label hook"
• Maybe in reply to: Chris Wright: "[PATCH][RFC] Remove kmod_set_label hook"
• Next in thread: Chris Wright: "Re: [PATCH][RFC] Remove kmod_set_label hook"
• Reply: Chris Wright: "Re: [PATCH][RFC] Remove kmod_set_label hook"
• Reply: Russell Coker: "Re: [PATCH][RFC] Remove kmod_set_label hook"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> Even just having them in the kernel context would be an improvement over the 
> current situation.
> 
> We have just had to change polity to allow the init program greater access 
> than it would otherwise require because a kernel thread needed more access, 
> which is not desirable.

This can be handled just by changing the selinux_task_reparent_to_init
hook function to use a different SID.  Not clear what that SID should
be, e.g. the kernel SID (maps to kernel_t, presently assigned to the
initial task), the kmod SID (maps to kmod_t, formerly assigned for
kernel module loader and hotplug), or a completely new initial SID and
domain.

--
Stephen Smalley, NSA


_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: Chris Wright: "Re: [PATCH][RFC] Remove kmod_set_label hook"
• Previous message: Russell Coker: "Re: [PATCH][RFC] Remove kmod_set_label hook"
• Maybe in reply to: Chris Wright: "[PATCH][RFC] Remove kmod_set_label hook"
• Next in thread: Chris Wright: "Re: [PATCH][RFC] Remove kmod_set_label hook"
• Reply: Chris Wright: "Re: [PATCH][RFC] Remove kmod_set_label hook"
• Reply: Russell Coker: "Re: [PATCH][RFC] Remove kmod_set_label hook"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Mar 27 2003 - 05:02:44 PST