Re: [PATCH] [LSM] Rework LSM hooks

From: James Morris
Date: Tue Aug 10 2004 - 08:38:02 EST


On Tue, 10 Aug 2004, Kurt Garloff wrote:

> Hi,
>
> while looking into LSM hooks and SElinux for SLES9, we came across
> a couple of issues and the whole thing ended up in a patch that I
> think should be applied upstream.
>
> Some boundary conditions:
> * We don't want to use selinux by default: The complexity to set up a
> secure system using it is currently quite complex
> * The impact of SElinux on performance on SMP is disastrous

This is a known issue and is being worked on.

> * SElinux needs to be compiled in
> * CONFIG_SECURITY should remain on -- it allows the flexibility to
> use different LSMs
> * This however has the nasty side-effect of ending up with a system
> that uses dummy rather than the Linux default capabilities; so your
> boot up scripts need to take care of loading it. Making capability
> static is no option either, of course, as you want to be able to
> use a different primary LSM or load capability as secondary LSM.
> * Even with selinux=0 and capability loaded, the kernel takes a
> few percents in networking benchmarks (measured by HP on ia64);
> this is caused by the slowliness of indirect jumps on ia64.
>
> The first patch patch does just change the selinux default; so you
> need to enable with selinux=1.

This issue has been through a couple of iterations and the current scheme
where if you have SELinux enabled, it is on by default, is aimed at being
more secure by default. On some platforms, boot parameters are not
feasible. To allow SELinux to be disable for these, the /selinux/disable
node was implemented, which allows SELinux to be unregistered during boot.
I suggest you investigate using this; look at what Fedora does.


- James
--
James Morris
<jmorris@xxxxxxxxxx>


-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/