On Fri, May 28, 2010 at 1:44 AM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > On Fri, 2010-05-28 at 01:28 +0500, Shaz wrote: >> On Fri, May 28, 2010 at 12:27 AM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: >> > On Thu, 2010-05-27 at 22:12 +0500, Shaz wrote: >> >> Dear all, >> >> >> >> I saw the default security feature in linux-2.6.34 and wanted to know >> >> what difference does it make to have linux DAC or selinux as the >> >> default security module? >> > >> > It doesn't appear to change anything. Not sure if that was the intent. >> > >> > The purpose of the option was to allow specification of what security >> > module to enable at boot by default when multiple security modules are >> > built into the kernel and no security= parameter was specified on the >> > kernel command line. Mostly useful for distributions who want to ship a >> > single kernel that can support any security module and default to a >> > particular one. So for example you could compile SELinux, Smack, and >> > TOMOYO into your kernel while defaulting to enabling TOMOYO at boot >> > time, letting the user optionally select SELinux or Smack via the >> > security= kernel parameter. >> > >> > I think the DAC setting was just to reflect the fact that if you don't >> > enable anything else, you'll get DAC by default. But to make that >> > option actually select DAC-only at boot (i.e. not enable any of security >> > modules), it would have to set the DEFAULT_SECURITY string to some >> > non-empty string that doesn't match any security module name rather than >> > to the empty string. >> >> If selinux is chosen at default then what would be the effect? Would >> LSM be invoked before DAC checks? If not then this kernel >> configuration scheme needs to be corrected. > > No, it doesn't have anything to do with when the check is applied; it > just affects which security module is enabled by default at boot if > multiple security modules are built into your kernel. > DEFAULT_SECURITY_DAC is likely meant to disable all security modules > (DAC isn't a security module), falling back to only the default DAC > logic. In which case the Kconfig file does need to be fixed. Which means that if selinux, smack and tomoyo are built then if someone makes DAC the default module as a choice would or must result in only DAC i.e. disabling others! -- Shaz -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
