From 57d236548bc1d1e5e28844166e4b31a6a28369c1 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Mon, 18 Apr 2005 20:17:25 +0000 Subject: [PATCH] move assert.te here --- refpolicy/policy/modules/kernel/kernel.te | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te index b89320eaf..ba189bf88 100644 --- a/refpolicy/policy/modules/kernel/kernel.te +++ b/refpolicy/policy/modules/kernel/kernel.te @@ -55,6 +55,14 @@ neverallow ~can_load_policy security_t:security load_policy; neverallow ~can_setenforce security_t:security setenforce; neverallow ~can_setsecparam security_t:security setsecparam; +# enabling dyntransition breaks process tranquility. If you dont +# know what this means or dont understand the implications of a +# dynamic transition, you shouldnt be using it!!! +neverallow * *:process { setcurrent dyntransition }; + +attribute can_load_kernmodule; +neverallow ~can_load_kernmodule *:capability sys_module; + ######################################## # # sysfs_t is the type for /sys