Skip top menus
National Security Agency and Central Security Service with agency logos.NSA/CSS Memorial Wall
Home    About NSA    Research    Business    Careers    Public Info    History
Introduction to Research    Security-Enhanced Linux    Information Assurance Research    Technology Transfer    Publications    Related Links

>>SELinux Mailing List: by thread

Search
What's new?
Contents
Overview
What's New
Frequently Asked Questions
Background
Documentation
License
Download
Participating
Mail List
Archive Summary
Archive by Thread
Archive by Author
Archive by Date
Archive by Subject
Remaining Work
Contributors
Related Work
Press Releases
  • Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]
From: Giovanni Mugnai <giovanni_at_unirel.it>
subject: Security policies change prevention!
Date: Fri, 23 Nov 2001 11:13:15 +0100
  • This message: [ Message body ]
  • Next message: jeff burson: "selinux, openssh, ipv6"
  • Previous message: Hans Reiser: "Re: SELinux and non-ext[23] file systems"
  • Next in thread: Stephen Smalley: "Re: Security policies change prevention!"
  • Reply: Stephen Smalley: "Re: Security policies change prevention!"


I have begun reading about selinux lately, i have read the security policy configuration could be changed at runtime by the security_load_policy call. I would like to know if it's possible to prevent from security policy configuration runtime changes, e.g. by a suitable kernel configuration, and where i could read something about.

thanks

Giovanni Mugnai, UniRel 

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
From: Stephen Smalley <sds_at_tislabs.com>
subject: Re: Security policies change prevention!
Date: Sat, 24 Nov 2001 12:31:35 -0500 (EST)
  • This message: [ Message body ]
  • Next message: Russell Coker: "Configure.help"
  • Previous message: jeff burson: "selinux, openssh, ipv6"
  • In reply to: Giovanni Mugnai: "Security policies change prevention!"

On Fri, 23 Nov 2001, Giovanni Mugnai wrote:

> I have begun reading about selinux lately, i have read the security policy
> configuration could be changed at runtime by the security_load_policy call.
> I would like to know if it's possible to prevent from security policy
> configuration runtime changes, e.g. by a suitable kernel configuration, and
> where i could read something about.

This call is controlled by the load_policy permission. In the example policy configuration, this permission is only granted to the sysadm_t domain for administrators. If you remove this permission from policy/domains/admin/sysadm.te, then runtime policy changes will no longer be permitted. 

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com




--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
  • Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

This archive was generated by hypermail 2.2.0 on Wed 11 Jun 2008 - 08:10:54 EDT

Information Assurance | Signals & Intelligence        Links | Accessibility | Privacy & Security