On Wed, May 30, 2018 at 09:13:46PM +0300, Ozgur Kara wrote: > > > 30.05.2018, 21:08, "valdis.kletni...@vt.edu" <valdis.kletni...@vt.edu>: > > On Wed, 30 May 2018 10:37:25 -0700, you said: > > > >> First, theoretical, I suppose: what were the reasons to effectively > >> disable dynamic loading of LSM ? > > > > Because that implies the system was up without the LSM loaded - at which > > point > > somebody can have tampered with whatever labelling the LSM uses. So we > > insist that the LSM be brought online very early during the boot process, > > to make > > sure that the LSM has a chance to stop any unauthorized relabeling. > > > >> Second, is there a way for two or more LSMs to co-exist? After inspecting > >> security_module_enable() and register_security(), it doesn't seem > >> possible, > >> however yama does attempt to load itself? Am I missing something? > > > > There's some support for one "large" LSM and a "trivial" one like yama. > > There's very real and nasty interactions if you try to run (for instance) > > SELinux and AppArmor at the same time. The composition of multiple > > MAC systems is fraught with danger (go back and look at how long it took > > us to get file capabilities to work right...) > > SElinux and AppArmor are completely disappointing. > Really.
Fair enough, you are free to create a competing LSM. This is the very reason that the interface was made in the first place. Because no one can decide what the "best" security model is for everyone else. Thanks for proving the design decision was a correct one :) greg k-h _______________________________________________ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
