On Thu, 2017-02-02 at 17:39 +0100, Ralf Mardorf wrote: > On Thu, 02 Feb 2017 11:22:28 -0500, Daniel Micay via arch-general > wrote: > > The reason for SELinux and AppArmor not being enabled for linux or > > linux-grsec has to do with audit. If people were willing to do a bit > > of work, all of the MAC implementations rather than only grsecurity > > RBAC and TOMOYO could be available. > > IIUC Mark Shuttleworth offered manpower to enable a standard mac-based > security framework: > https://lists.ubuntu.com/archives/snapcraft/2017-January/002247.html There's a need to improve audit or remove the dependency on it. If there was a kernel configuration option upstream to fully disable audit by default and avoid logging / performance / security issues from it then the kernel maintainers would likely be willing to enable it and the LSMs depending on it again. They were disabled due to the drawbacks of audit, combined with the lack of effort to actually use those LSMs on Arch. It is not simply a matter of people not stepping up to integrate the MACs but also the kernel requiring changes that our kernel maintainers are not willing to carry out-of-tree.
Attachment:
signature.asc
Description: This is a digitally signed message part
