Re: [PATCH][RFC] Remove kmod_set_label hook

From: Chris Wright (chrisat_private)
Date: Thu Mar 27 2003 - 09:22:10 PST

  • Next message: Russell Coker: "Re: [PATCH][RFC] Remove kmod_set_label hook"

    * Stephen D. Smalley (sdsat_private) wrote:
    > > Even just having them in the kernel context would be an improvement over the 
    > > current situation.
    > > 
    > > We have just had to change polity to allow the init program greater access 
    > > than it would otherwise require because a kernel thread needed more access, 
    > > which is not desirable.
    > This can be handled just by changing the selinux_task_reparent_to_init
    > hook function to use a different SID.  Not clear what that SID should
    > be, e.g. the kernel SID (maps to kernel_t, presently assigned to the
    > initial task), the kmod SID (maps to kmod_t, formerly assigned for
    > kernel module loader and hotplug), or a completely new initial SID and
    > domain.
    I'd have figured kernel_t.  The way I see it, /sbin/init is a program
    that has a well defined domain entrance point (execve()), and doesn't
    have the same privilege requirements as the initial kernel threads.
    Linux Security Modules
    linux-security-module mailing list

    This archive was generated by hypermail 2b30 : Thu Mar 27 2003 - 09:24:18 PST