On Wednesday, February 27, 2013 08:51:50 AM Casey Schaufler wrote: > On 2/27/2013 8:43 AM, Paul Moore wrote: > > On Tuesday, February 26, 2013 03:12:31 PM Casey Schaufler wrote: > >> On 2/26/2013 1:21 PM, Paul Moore wrote: > >>> On Monday, February 25, 2013 03:06:14 PM Casey Schaufler wrote: > >>>> The set of LSMs, the order they are invoked, which LSM > >>>> uses /proc/.../attr/current and which LSM uses Netlabel, > >>>> XFRM and secmark are all determined by Kconfig. You can > >>>> specify a limited set of LSMs using security= at boot, > >>>> but not the networking configuration. > >>> > >>> That's unfortunate. I'm _really_ not in favor of that, I would much > >>> rather see the non-shared LSM functionality assigned at the same time as > >>> the stacking order. I'm not sure I'd NACK the current approach, or > >>> even\ > >>> if anyone would care that I did, but that is how I'm currently leaning > >>> with this split (build vs runtime) selection. > >> > >> I'm not against that approach. How would you see it working? > >> > >> The distro compiles in all the LSMs. > >> They specify that SELinux gets xfrm and secmark. > >> They specify the Smack gets Netlabel. > >> They tell (the new and improved) AppArmor to eschew networking. > >> They specify a boot order of "selinux,smack,apparmor,yama" > >> (They left off tomoyo for tax purposes). > >> > >> On the boot line, the user types "security=apparmor". > >> > >> What should happen? > > > > Okay, I misunderstood what was specified at boot time; I thought the > > stacking order could be defined at boot but based on your example I'm > > guessing the stacking order is defined at compile time and you can only > > enable/disable LSMs at boot? > > Well, no. It looks as if I gave a poor example. > > "security=apparmor,tomoyo,selinux" > > is legitimate and indicates that AppArmor goes first, > then TOMOYO, then SELinux. No LSM gets NetLabel because > that was allocated to Smack. SELinux gets XFRM and secmark. All the more reason to either adopt a mechanism that allows you to assign the non-shareable resources on the command line along with the stacking configuration or simply adopt a first-come-first-serve policy. -- paul moore security and virtualization @ redhat -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
