On Friday, December 19, 2014 09:59:05 AM Casey Schaufler wrote: > On 12/19/2014 8:41 AM, Daniel J Walsh wrote: > > Currently Symantec requires SELinux be disabled, claiming there is > > conflicts in the kernel modules. > > > > http://www.symantec.com/connect/forums/does-scsp-agent-support-selinux > > Based on the fact they are also disparaging AppArmor and a couple of > out-of-tree security modules, and that SELinux=permissive is not sufficient > I'm assuming it's an out-of-tree security module. I don't ever recall seeing a SCSP patchset. I also couldn't find much in the way of Linux integration details on their website, mostly just marketing materials. > > As the customer wants to take advantage of certain SELinux features > > like sVirt for VMs and Docker Containers, this conflict is coming to a > > head. > > > > Is anyone familiar with whether or not this is a real conflict or just > > something assumed by Symantec? Other than Symantec saying you can't have both running at the same time, I don't even know what the conflict is ... I'm sure we can offer some guesses, but that isn't very helpful. > > The customer like Symantec's ability to do intrusion detection and > > remote logging and configuration of CSB. > > > > Bottom line the customer wants both. > > It would help if someone from the SELinux community would comment on > the v18 concurrent security modules patches. Moving that work forward > is your best step toward getting what you need. Of course, v18 doesn't > get you all the way, but it gets closer. This assumes that the issue is due to LSM hook conflicts; not an unreasonable assumption, but still just a guess. As for the LSM stacking patches, it's on my list, along with a mountain of other things (now with more audit, which is horrible in its own special way). I can promise you that I'm not ignoring your patches any worse than I'm ignoring anyone else's patches :) -- paul moore www.paul-moore.com _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
