Am 27.03.2014 20:33, schrieb Nicolas Iooss: > TL;DR: this is a technical answer which can be seen as slightly > off-topic as it focus only on SELinux and not much about kernel config > trimming. Very interesting, thanks for looking into it deeper. I'll leave most of this uncommented. > This does sound weird. Could you please give me some references to > this so that I can understand better? I only know that SELinux uses > the audit subsystem to report denials and that the audit subsystem can > be disabled at boot time using "audit=0" kernel command line parameter > (and also I've read > http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/kernel/audit.c?id=v3.13#n1001). Okay, you are right, it wasn't AppArmor, it was SELinux. According to Kconfig, SELinux depends on Audit. And here is my problem: Audit is enabled by default and must be explicitly disabled by the admin. This is a showstopper for me! There is no kernel option to configure audit to be disabled by default (as far as I am aware) so that it can be enabled with 'audit=1' on the command line. As long as SELinux needs audit and audit is enabled by default, SELinux will not make it to the 3.14+ versions of our linux package.
Attachment:
signature.asc
Description: OpenPGP digital signature
