On Tuesday, April 23, 2013 09:04:06 AM Casey Schaufler wrote: > Subject: [PATCH v13 0/9] LSM: Multiple concurrent LSMs > > Change the infrastructure for Linux Security Modules (LSM)s from a > single vector of hook handlers to a list based method for handling > multiple concurrent modules. > > The "security=" boot option takes a comma separated list of LSMs, > registering them in the order presented. The LSM hooks will be > executed in the order registered. Hooks that return errors are > not short circuited. All hooks are called even if one of the LSM > hooks fails. The result returned will be that of the last LSM > hook that failed. ... > The NetLabel, XFRM and secmark facilities are restricted to use > by one LSM at a time. This is due to limitations of the underlying > networking mechanisms. The good news is that viable configurations > can be created. The bad news is that the complexity of configuring > a system is necessarily increased. I know we had a good discussion about this a while back and I just wanted to hear from you about this current patchset; how does the labeled networking LSM assignment work? Is it first-come-first-served based on the 'security=' setting? -- paul moore www.paul-moore.com -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
