On Wed, Nov 27, 2019 at 12:04 PM Stephen Smalley wrote:
> Implement a SELinux hook for lockdown. If the lockdown module is also
> enabled, then a denial by the lockdown module will take precedence over
> SELinux, so SELinux can only further restrict lockdown decisions.
> The SELinux hook only dis
Implement a SELinux hook for lockdown. If the lockdown module is also
enabled, then a denial by the lockdown module will take precedence over
SELinux, so SELinux can only further restrict lockdown decisions.
The SELinux hook only distinguishes at the granularity of integrity
versus confidentiality
On Wed, 27 Nov 2019, Stephen Smalley wrote:
> avc: denied { confidentiality } for pid=4628 comm="cp"
> lockdown_reason="/proc/kcore access"
> scontext=unconfined_u:unconfined_r:test_lockdown_integrity_t:s0-s0:c0.c1023
> tcontext=unconfined_u:unconfined_r:test_lockdown_integrity_t:s0-s0:c0.c10
