On Wed, 2012-12-12 at 07:48 -0800, Casey Schaufler wrote: How about asking every LSM to implement a new 'enable' function. If the LSM is not 'present' only the new 'enable' function can be used. If the LSM is present either the legacy enable function every LSM uses today or the new enable function can be used. Thus even if you build the kernel with stacking, you cannot enable a non-present LSM unless the tools have been updated. I'd envision for SELinux it would mean that we would disable/not expose/whatever /sys/fs/selinux/load when SELinux was not present. And we'd have a new /sys/fs/selinux/new_load which could be used in its place. Thoughts? -Eric -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
