From: Adrian Bunk <bunk@stusta.de>
To: Scott Preece <sepreece@gmail.com>
Cc: James Morris <jmorris@namei.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
Christian Ehrhardt <lk@c--e.de>,
Andrew Morton <akpm@linux-foundation.org>,
Chris Wright <chrisw@sous-sol.org>,
linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org,
Stephen Smalley <sds@tycho.nsa.gov>,
"Serge E. Hallyn" <serue@us.ibm.com>,
Arjan van de Ven <arjan@infradead.org>
Subject: Re: [PATCH try #3] security: Convert LSM into a static interface
Date: Thu, 19 Jul 2007 15:16:40 +0200 [thread overview]
Message-ID: <20070719131640.GT3801@stusta.de> (raw)
In-Reply-To: <7b69d1470707190556n78e52232y7dfea1fd6f47ced@mail.gmail.com>
On Thu, Jul 19, 2007 at 07:56:53AM -0500, Scott Preece wrote:
> On 7/19/07, James Morris <jmorris@namei.org> wrote:
>> On Thu, 19 Jul 2007, Serge E. Hallyn wrote:
>>
>> > If we could get a few (non-afilliated :) people who work with
>> > customers in the security field to tell us whether this is being
>> > used, that would be very helpful. Not sure how to get that.
>>
>> The mainline kernel does not cater to out of tree code.
>
> Please distinguish between "cater to" and "support". If the kernel
> didn't worry about supporting out-of-tree code, then why would there
> be loadable module at all?
>...
Distribution kernels need modules or the kernel images would be
extremely large.
> Another twist is to use a tool to generate the module from a
> policy-definition file; this could be done at boot-time or could be
> done to replace the current policy on a running system (perhaps to add
> a new domain corresponding to a newly added service). Yes, this would
> need to be done with a lot of care, but part of providing mechanism
> (rather than policy) is enabling people to use the mechanism in the
> ways they prefer.
Why do you need to generate a module for changing a policy?
Software like SELinux contains the mechanisms to change the policy
without having to change the kernel.
> scott
cu
Adrian
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed
next prev parent reply other threads:[~2007-07-19 13:17 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-07-14 16:37 [PATCH try #3] security: Convert LSM into a static interface James Morris
2007-07-18 15:28 ` Arjan van de Ven
2007-07-19 1:35 ` Andrew Morton
2007-07-19 2:42 ` James Morris
2007-07-19 3:35 ` david
2007-07-19 5:31 ` Greg KH
2007-07-19 7:39 ` Christian Ehrhardt
2007-07-19 12:24 ` Serge E. Hallyn
2007-07-19 12:37 ` James Morris
2007-07-19 12:42 ` Serge E. Hallyn
2007-07-19 13:00 ` James Morris
2007-07-19 13:37 ` Serge E. Hallyn
2007-07-19 16:25 ` Adrian Bunk
2007-07-19 12:56 ` Scott Preece
2007-07-19 13:15 ` Alan Cox
2007-07-19 13:30 ` Scott Preece
2007-07-19 13:16 ` Adrian Bunk [this message]
2007-07-19 16:54 ` Arjan van de Ven
2007-07-19 17:19 ` Serge E. Hallyn
2007-07-19 17:34 ` Chris Wright
2007-07-19 18:00 ` Arjan van de Ven
2007-07-19 18:10 ` Serge E. Hallyn
2007-07-19 17:24 ` Christian Ehrhardt
2007-07-24 8:02 ` Andrew Morton
2007-07-24 8:53 ` Greg KH
2007-07-24 8:58 ` Andrew Morton
2007-07-24 18:25 ` Greg KH
[not found] <OF54A17BCF.9A1D7004-ON8725731D.0044828E-8625731D.0046CAED@us.ibm.com>
2007-07-19 13:01 ` James Morris
2007-07-19 13:19 ` James Morris
2007-07-19 13:58 ` Christoph Hellwig
2007-07-19 16:01 ` Greg KH
[not found] <Line.LNX.4.64.0706251953020.25122@localhost.localdomain.suse.lists.linux.kernel>
2007-06-26 5:21 ` Marcus Meissner
[not found] <20070617135239.GA17689@sergelap>
[not found] ` <4676007F.7060503@kernel.org>
[not found] ` <20070618044017.GW3723@sequoia.sous-sol.org>
[not found] ` <20070620171037.GA28670@sergelap.ibm.com>
[not found] ` <20070620174613.GF3723@sequoia.sous-sol.org>
2007-06-21 16:00 ` implement-file-posix-capabilities.patch Serge E. Hallyn
2007-06-23 8:13 ` implement-file-posix-capabilities.patch Andrew Morgan
2007-06-24 15:51 ` implement-file-posix-capabilities.patch Serge E. Hallyn
2007-06-24 16:18 ` implement-file-posix-capabilities.patch James Morris
2007-06-24 20:58 ` [PATCH][RFC] security: Convert LSM into a static interface James Morris
2007-06-24 22:09 ` Chris Wright
2007-06-25 4:33 ` [PATCH try #2] " James Morris
2007-06-25 16:59 ` Stephen Smalley
2007-06-25 23:56 ` [PATCH try #3] " James Morris
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20070719131640.GT3801@stusta.de \
--to=bunk@stusta.de \
--cc=akpm@linux-foundation.org \
--cc=arjan@infradead.org \
--cc=chrisw@sous-sol.org \
--cc=jmorris@namei.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=lk@c--e.de \
--cc=sds@tycho.nsa.gov \
--cc=sepreece@gmail.com \
--cc=serge@hallyn.com \
--cc=serue@us.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.