On Wed, Apr 6, 2016 at 2:23 PM, David Miller <davem@xxxxxxxxxxxxx> wrote: > From: Paul Moore <paul@xxxxxxxxxxxxxx> > Date: Wed, 6 Apr 2016 10:07:27 -0400 > >> "While marking the LSM hook structure doesn't directly affect the >> SELinux netfilter hooks, once we remove the ability to deregister the >> LSM hooks we will have no need to support deregistering netfilter >> hooks and I expect we will drop that functionality as well to help >> decrease the risk of tampering." > > This is not a reasonable postiion. > > The performance implications are non-trivial for using netfilter hooks > when they aren't actually needed. With all due respect, I think you've taken what I consider to be some unreasonable positions when it comes to the network stack and LSMs in the past. We have different perspectives and different priorities as a result, from my perspective the security advantage gained by eliminating the ability to disable SELinux at runtime is more important. -- paul moore www.paul-moore.com _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
