On 9/6/2012 6:08 AM, Stephen Smalley wrote: > On Wed, 2012-09-05 at 10:38 -0400, Stephen Smalley wrote: >> On Tue, 2012-09-04 at 19:09 -0700, Casey Schaufler wrote: >>> Subject: LSM: SELinux changes to allow LSM stacking >>> >>> Change security blob accesses to use the lsm_get/lsm_set >>> interfaces. This requires removal of the cred pointer >>> poisoning in selinux_cred_free. >>> >>> Signed-off-by: Casey Schaufler <casey@xxxxxxxxxxxxxxxx> >> FWIW, passes the selinux-testsuite with SELinux and Yama enabled. > However, setting SELINUX=disabled in /etc/selinux/config and rebooting > with this kernel yields a kernel panic during reset_security_ops(), > called by selinux_disable(). > reset_security_ops is only used by SELinux. There are a number of ways to repair this. The important question is whether a general solution is required or if it can be left SELinux specific. If it is a general interface, does it clear all the LSMs or just the LSM calling it? I would suggest that leaving it to SELinux is the best choice, and clearing the calling LSM only the next best choice. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
