Re: [PATCH][RFC] Remove kmod_set_label hook

From: Russell Coker (russellat_private)
Date: Thu Mar 27 2003 - 05:25:05 PST

  • Next message: Chris Wright: "Re: [PATCH][RFC] Remove kmod_set_label hook"

    On Thu, 27 Mar 2003 14:09, Stephen D. Smalley wrote:
    > > Even just having them in the kernel context would be an improvement over
    > > the current situation.
    > >
    > > We have just had to change polity to allow the init program greater
    > > access than it would otherwise require because a kernel thread needed
    > > more access, which is not desirable.
    > This can be handled just by changing the selinux_task_reparent_to_init
    > hook function to use a different SID.  Not clear what that SID should
    > be, e.g. the kernel SID (maps to kernel_t, presently assigned to the
    > initial task), the kmod SID (maps to kmod_t, formerly assigned for
    > kernel module loader and hotplug), or a completely new initial SID and
    > domain.
    Is kmod_t going away or going to cease being used for modprobe/hotplug?
    I think that having the lockd thread in question running as kmod_t is not a 
    good idea, it's not what you would expect.  kernel_t would be logical choice 
    as a new user would expect such a kernel thread to run in kernel_t.
    A completely different SID would be OK, but then would we need a series of 
    different SIDs for different kernel threads?
    --   My NSA Security Enhanced Linux packages  Bonnie++ hard drive benchmark    Postal SMTP/POP benchmark  My home page
    linux-security-module mailing list

    This archive was generated by hypermail 2b30 : Thu Mar 27 2003 - 09:53:48 PST