>>>>> On Fri, 22 Aug 2008 09:37:44 -0700, Bill Broadley <[EMAIL PROTECTED]> >>>>> said:
BB> I meant via root. Does it work on your system by default? Err... Not actually sure. I don't run SELinux by default since I have a heavy development machine and it doesn't work perfectly (I'm a prime example of someone who needs a better method for policy tweaking). I suspect that there is a device I could write to that would let me trump something in memory not assigned to the current process. But I'm not a heavy kernel hacker ;-) BB> The signed modules has an implementation, and doesn't require the BB> reboots. I think I've come off too negative, btw. I actually *do* want you to succeed. I was trying to point out all the things that need to be thought about :-) I do think they're all work-around-able. They just all need to be done. One more thought: are you going to allow people to generate private keys for loading privately compiled modules (preferably offline or on a different system)? IE, do you have any kernel modules loaded that aren't distributed from your distro vendor? Things like self-compiled vmware, nvidia, etc drivers need to be signed... If you only have a distro key you've locked yourself out too (which is both good and bad). -- "In the bathtub of history the truth is harder to hold than the soap, and much more difficult to find." -- Terry Pratchett _______________________________________________ vox-tech mailing list vox-tech@lists.lugod.org http://lists.lugod.org/mailman/listinfo/vox-tech