Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 14 Feb 2017 07:15:17 +0900
From: Tetsuo Handa <penguin-kernel@...ove.SAKURA.ne.jp>
To: keescook@...omium.org
Cc: casey@...aufler-ca.com, sds@...ho.nsa.gov, jmorris@...ei.org,
        linux-security-module@...r.kernel.org,
        kernel-hardening@...ts.openwall.com, paul@...l-moore.com
Subject: Re: Re: [RFC PATCH 2/4] security: mark nf ops in SELinux and Smack as __ro_after_init

Kees Cook wrote:
> On Mon, Feb 13, 2017 at 2:05 PM, Tetsuo Handa
> <penguin-kernel@...ove.sakura.ne.jp> wrote:
> > Kees Cook wrote:
> >> On Mon, Feb 13, 2017 at 1:32 PM, Casey Schaufler <casey@...aufler-ca.com> wrote:
> >> > If we changed CONFIG_SECURITY_SELINUX_DISABLE to
> >> > CONFIG_SECURITY_DYNAMIC_MODULES and put the __ro_after_init
> >> > under !CONFIG_SECURITY_DYNAMIC_MODULES we solve both the
> >> > current and potential future issues.
> >>
> >> Something like...
> >>
> >> #ifdef CONFIG_SECURITY_DYNAMIC_LSM
> >> # define lsm_ro_after_init __ro_after_init
> >> # define lsm_const         const
> >> #else
> >> # define lsm_ro_after_init
> >> # define lsm_const
> >> #endif
> >>
> >> ?
> >
> > Fedora/RHEL won't use CONFIG_SECURITY_DYNAMIC_LSM=y whereas
> > LKM based LSMs are targeted for such distributions.
> >
> > I don't worry much about Android, for manufactures who ship their
> > products with TOMOYO enabled can rebuild their kernels. But asking
> > for rebuild of Fedora/RHEL kernels to end users is too painful.
> 
> I thought the argument was that Fedora WOULD ship that way, since it
> needs to have the run-time selinux disabling feature?

True only if Fedora/RHEL doesn't separate kernel packages.
They can build separate kernel packages for with-/etc/selinux/config
environments and without-/etc/selinux/config environments because
modules needed for those environments would differ.

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.