On Tuesday 13 September 2005 01:00, Stephen Smalley sds@tycho.nsa.gov wrote:
NB Setting secure_mode_policyload to default to 1 at boot time will work, but that means policy can only be loaded once at boot (should be able to install new policy and reboot the machine though). Setting secure_mode_insmod at boot will probably make the boot process fail for all non-trivial machines, the initial values of booleans are set before modules for devices such as Ethernet cards. Setting secure_mode_insmod after the boot process is completed might be a good idea if you have no plans to use USB or Cardbus/PCMCIA, there have been exploits which relied on the ability to trick the system into loading modules (EG the ptrace exploit).
Did you attach the wrong patch? The one you sent doesn't define new booleans; it just wraps additional rules with the existing secure_mode boolean.
I attached the patch, re-worked it, and then forgot to attach the new patch.
The correct patch is attached to this message.