All of lore.kernel.org
 help / color / mirror / Atom feed
From: Bill Davidsen <davidsen@tmr.com>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: James Morris <jmorris@namei.org>,
	Alexey Dobriyan <adobriyan@sw.ru>,
	linux-kernel@vger.kernel.org, eparis@parisplace.org,
	casey@schaufler-ca.com
Subject: Re: SMACK or SELinux, but not both
Date: Thu, 28 Feb 2008 16:11:01 -0500	[thread overview]
Message-ID: <47C72365.4060506@tmr.com> (raw)
In-Reply-To: <1204029576.2804.260.camel@moss-spartans.epoch.ncsc.mil>

Stephen Smalley wrote:
> On Tue, 2008-02-26 at 20:28 +1100, James Morris wrote:
>> On Tue, 26 Feb 2008, Alexey Dobriyan wrote:
>>
>>> If SELinux is registered before SMACK, SMACK panics after
>>> register_security() call.
>>>
>>> If SMACK is registered before SELinux, SELinux panics after
>>> register_security() call.
>>>
>>> Consequently allmodconfig kernel doesn't boot. It would be nice if
>>> some Kconfig magic to exclude each other will be in place.
>> People want to be able to select the security model at boot time, so the 
>> option to build both LSMs is required.
>>
>> You can stop SELinux from attempting to register as an LSM via selinux=0, 
>> which should allow you to boot with just Smack enabled.
> 
> Ideally, one could just boot with security=<module> to select the
> desired primary security module.  security=smack, security=selinux, or
> security=capability.
> 
> Having to specify selinux=0 smack=0 foo=0 just to get bar wouldn't be
> pretty.  Not that anyone would want to do that, of course...
> 
And doesn't scale well as we add more security models. Oh, that will 
never happen, right? I still like "security="

-- 
Bill Davidsen <davidsen@tmr.com>
   "We have more to fear from the bungling of the incompetent than from
the machinations of the wicked."  - from Slashdot

      reply	other threads:[~2008-02-28 21:08 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-02-26  9:09 SMACK or SELinux, but not both Alexey Dobriyan
2008-02-26  9:28 ` James Morris
2008-02-26 12:39   ` Stephen Smalley
2008-02-28 21:11     ` Bill Davidsen [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=47C72365.4060506@tmr.com \
    --to=davidsen@tmr.com \
    --cc=adobriyan@sw.ru \
    --cc=casey@schaufler-ca.com \
    --cc=eparis@parisplace.org \
    --cc=jmorris@namei.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=sds@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.