>>SELinux Mailing List

Contents

Overview

What's New

Frequently Asked Questions

Background

Documentation

License

Download

Participating

Mail List

Archive Summary

Archive by Thread

Archive by Author

Archive by Date

Archive by Subject

Remaining Work

Contributors

Related Work

Press Releases

Re: Security policies change prevention!

From: Stephen Smalley <sds_at_tislabs.com>
Date: Sat, 24 Nov 2001 12:31:35 -0500 (EST)

On Fri, 23 Nov 2001, Giovanni Mugnai wrote:

> I have begun reading about selinux lately, i have read the security policy
> configuration could be changed at runtime by the security_load_policy call.
> I would like to know if it's possible to prevent from security policy
> configuration runtime changes, e.g. by a suitable kernel configuration, and
> where i could read something about.

This call is controlled by the load_policy permission. In the example policy configuration, this permission is only granted to the sysadm_t domain for administrators. If you remove this permission from policy/domains/admin/sysadm.te, then runtime policy changes will no longer be permitted.

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com




--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Received on Sat 24 Nov 2001 - 12:41:01 EST

This message: [ Message body ]
Next message: Russell Coker: "Configure.help"
Previous message: jeff burson: "selinux, openssh, ipv6"
In reply to: Giovanni Mugnai: "Security policies change prevention!"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

This archive was generated by hypermail 2.2.0 on Wed 11 Jun 2008 - 08:10:26 EDT