Feb 11, 2008 at 12:14 PM, "Alon Bar-Lev" <[EMAIL PROTECTED]> wrote: > On 2/11/08, Adam Jerome <[EMAIL PROTECTED]> wrote: >> As for Novell/SuSE, I suspect that the work done by upstream to make >> LSM static-link only will most likely be reverted for SLED/SLES 11. >> Meaning that LSM may continue to be a viable alternative for some time.
That is a great question. I am not sure I have the correct answer. I do know that as the patch was being considered, Linus called for anyone to refute the patch; and more specifically, he asked all projects that were using LSM (that might be considering submission of their project upstream at some point) to make them self known. From what I saw, no such projects made themselves known. >From a (rather hard-core) upstream perception, the only one using LSM was SELinux (being that they were the only ones who had submitted upstream). So, (as the logic went), if SELinux is the only valid LSM client and SELinux is a compiled-in kernel enhancement, why leave a dynamic link LSM interface open which might be a security threat itself? So, in the name of "nobody else will fess up to using LSM" and "A dynamic LSM interface is a security threat", Linus accepted the patch which closed LSM to dynamically loaded modules. I feel that this action was hasty; that making LSM a static-link-only interface is very short-sited. It shut the door to many up-and-comming security related projects (that were just not ready for submission upstream). This action obviously gives an unfair advantage to the SELinux camp. -adam _______________________________________________ Dazuko-devel mailing list [email protected] http://lists.nongnu.org/mailman/listinfo/dazuko-devel
