lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20070102214026.GA13887@sergelap.austin.ibm.com>
Date:	Tue, 2 Jan 2007 15:40:27 -0600
From:	"Serge E. Hallyn" <serue@...ibm.com>
To:	Mimi Zohar <zohar@...ibm.com>
Cc:	Daniel Walker <dwalker@...sta.com>, akpm@...l.org,
	kjhall@...ux.vnet.ibm.com, linux-kernel@...r.kernel.org,
	Stephen Smalley <sds@...ch.ncsc.mil>
Subject: Re: Should be [PATCH -mm] --  Re: [PATCH -rt] panic on SLIM + selinux

Quoting Mimi Zohar (zohar@...ibm.com):
> Being able to compile both SELinux and SLIM into the kernel was done
> intentionally.

Intentionally so that you can switch back and forth for testing?

> The kernel parameters 'selinux' and 'slim' can enable
> or disable the LSM module at boot.  Perhaps, for the time being, the
> SECURITY_SLIM_BOOTPARAM_VALUE should default to 0.

That should solve the problem for most people.  People wanting to
test with slim will still have to specify 'selinux=0' or get the
boot failure.  But I suspect that having selinux automatically
not load when slim is loaded will be considered too unsafe?

Mimi, what about moving slim down below selinux in the Makefile,
and having slim refuse to load if security_ops is not an _ops you
know about (i.e. dummy_ops or capability_ops)?  Then you can leave
SECURITY_SLIM_BOOTPARAM_VALUE as 1, and users just have to say
'selinux=0' to boot slim?  Just a thought, maybe less intuitive...

-serge
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ