On Tuesday 13 September 2005 01:00, Stephen Smalley <sds(a)tycho.nsa.gov> wrote:
> NB Setting secure_mode_policyload to default to 1 at boot time
will
> work, but that means policy can only be loaded once at boot (should be
> able to install new policy and reboot the machine though). Setting
> secure_mode_insmod at boot will probably make the boot process fail for
> all non-trivial machines, the initial values of booleans are set before
> modules for devices such as Ethernet cards. Setting secure_mode_insmod
> after the boot process is completed might be a good idea if you have no
> plans to use USB or Cardbus/PCMCIA, there have been exploits which relied
> on the ability to trick the system into loading modules (EG the ptrace
> exploit).
Did you attach the wrong patch? The one you sent doesn't define new
booleans; it just wraps additional rules with the existing secure_mode
boolean.
I attached the patch, re-worked it, and then forgot to attach the new patch.
The correct patch is attached to this message.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page