new kernel feature in progress
Stephen Smoogen
smoogen at lanl.gov
Wed Jun 30 16:18:23 UTC 2004
On Wed, 2004-06-30 at 01:21, Arjan van de Ven wrote:
> Hi,
>
> as will be able to see in todays rawhide, we're experimenting with
> adding a patch for gpg-signed kernel modules. The idea behind this is
> for the administrator to *optionally* [1] restrict the set of modules
> that can be linked into the kernel. In selinux context one can even
> eventually allow different security contexts to load different subsets
> of modules, by restricting certain contexts to a predefined gpg keys
> only.
>
> The work isn't complete yet by far, this is just a heads up. Input for
> creative uses of this infrastructure is welcome :)
I have a long list of machines that would love this.. especially if it
can be worked into not voiding a RHEL contract in the future :).
Basically, there is always a class of machines that may be RHEL that
have to split between getting support and being able to show that kernel
cant be easily tampered with while running. [Now to just figure out how
to get some of the advanced patch-o-matic patches in for connection
tracking and not void my RHEL support ;)]
--
Stephen John Smoogen smoogen at lanl.gov
Los Alamos National Lab CCN-5 Sched 5/40 PH: 4-0645
Ta-03 SM-1498 MailStop B255 DP 10S Los Alamos, NM 87545
-- Please, I have had too much of the stupid today. Please wait until
-- tomorrow to say these things so my tolerance has refreshed.
More information about the fedora-devel-list
mailing list