On Fri, 2010-05-28 at 01:28 +0500, Shaz wrote: > On Fri, May 28, 2010 at 12:27 AM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > > On Thu, 2010-05-27 at 22:12 +0500, Shaz wrote: > >> Dear all, > >> > >> I saw the default security feature in linux-2.6.34 and wanted to know > >> what difference does it make to have linux DAC or selinux as the > >> default security module? > > > > It doesn't appear to change anything. Not sure if that was the intent. > > > > The purpose of the option was to allow specification of what security > > module to enable at boot by default when multiple security modules are > > built into the kernel and no security= parameter was specified on the > > kernel command line. Mostly useful for distributions who want to ship a > > single kernel that can support any security module and default to a > > particular one. So for example you could compile SELinux, Smack, and > > TOMOYO into your kernel while defaulting to enabling TOMOYO at boot > > time, letting the user optionally select SELinux or Smack via the > > security= kernel parameter. > > > > I think the DAC setting was just to reflect the fact that if you don't > > enable anything else, you'll get DAC by default. But to make that > > option actually select DAC-only at boot (i.e. not enable any of security > > modules), it would have to set the DEFAULT_SECURITY string to some > > non-empty string that doesn't match any security module name rather than > > to the empty string. > > If selinux is chosen at default then what would be the effect? Would > LSM be invoked before DAC checks? If not then this kernel > configuration scheme needs to be corrected. No, it doesn't have anything to do with when the check is applied; it just affects which security module is enabled by default at boot if multiple security modules are built into your kernel. DEFAULT_SECURITY_DAC is likely meant to disable all security modules (DAC isn't a security module), falling back to only the default DAC logic. In which case the Kconfig file does need to be fixed. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
