On 2019/02/09 1:23, Casey Schaufler wrote: > On 2/8/2019 2:52 AM, Tetsuo Handa wrote: >> To help administrators easily understand what LSM modules are possibly enabled by default (which >> have to be fetched from e.g. /boot/config-`uname -r`) > > $ cat /sys/kernel/security/lsm > /sys/kernel/security/lsm is list of "actually" enabled modules, isn't it? What I want is "possibly" enabled modules. Ubuntu would chose from either (a) explicitly add security=apparmor to kernel command line or (b) explicitly remove tomoyo from CONFIG_LSM at kernel config in order not to enable TOMOYO for those who want to enable only one of SELinux/Smack/AppArmor. And for those who want to enable TOMOYO, I think that (b) (in other words, add lsm="modules listed in CONFIG_LSM" + ",tomoyo" ) will retain compatibility when it becomes possible to enable more than one of SELinux/Smack/AppArmor at the same time. If we can know "possibly" enabled modules from dmesg, users don't need to look at e.g. /boot/config-`uname -r`. It is not essential, but it's handy.
