Re: SMACK or SELinux, but not both

[Bill Davidsen]

Stephen Smalley wrote:
> On Tue, 2008-02-26 at 20:28 +1100, James Morris wrote:
> > On Tue, 26 Feb 2008, Alexey Dobriyan wrote:
> >
> > > If SELinux is registered before SMACK, SMACK panics after
> > > register_security() call.
> > >
> > > If SMACK is registered before SELinux, SELinux panics after
> > > register_security() call.
> > >
> > > Consequently allmodconfig kernel doesn't boot. It would be nice if
> > > some Kconfig magic to exclude each other will be in place.
> > People want to be able to select the security model at boot time, so the 
> > option to build both LSMs is required.
> >
> > You can stop SELinux from attempting to register as an LSM via selinux=0, 
> > which should allow you to boot with just Smack enabled.
>
> Ideally, one could just boot with security=<module> to select the
> desired primary security module.  security=smack, security=selinux, or
> security=capability.
>
> Having to specify selinux=0 smack=0 foo=0 just to get bar wouldn't be
> pretty.  Not that anyone would want to do that, of course...
And doesn't scale well as we add more security models. Oh, that will 
never happen, right? I still like "security="

--
Bill Davidsen <davidsen@xxxxxxx>
  "We have more to fear from the bungling of the incompetent than from
the machinations of the wicked."  - from Slashdot
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/