|
Message-ID: <20171128193243.4fymnjk7fplqw62x@thunk.org> Date: Tue, 28 Nov 2017 14:32:43 -0500 From: Theodore Ts'o <tytso@....edu> To: Geo Kozey <geokozey@...lfence.com> Cc: Linus Torvalds <torvalds@...ux-foundation.org>, Djalal Harouni <tixxdz@...il.com>, Kees Cook <keescook@...omium.org>, James Morris <james.l.morris@...cle.com>, Linux Kernel Mailing List <linux-kernel@...r.kernel.org>, LSM List <linux-security-module@...r.kernel.org>, "kernel-hardening@...ts.openwall.com" <kernel-hardening@...ts.openwall.com>, Jonathan Corbet <corbet@....net> Subject: Re: Re: [PATCH v5 next 5/5] net: modules: use request_module_cap() to load 'netdev-%s' modules On Tue, Nov 28, 2017 at 01:16:59PM +0100, Geo Kozey wrote: > > Userspace can be configured in a way which is compatible with those > changes being on the same as it can be configured to work with > selinux. That means on distro level or sysadmin level it's a > valuable tool. It's better than nothing and it's better than using > some out-of-tree patches instead. Switching one sysctl would make > their life easier. If *selinux* can opt-in to something more stringent, such that when you upgrade to a new version of selinux which enables something which breaks all modules unless you set up the rules corretly, I don't see a problem with it. It might force distributions not to go to the latest version of SELinux because users get cranky when their systems get broken, but for people like me, who *still* don't use SELinux because every few years, i try to enable on my development laptop running Debian, watch ***far*** too much stuff break. and then turn it off again. So tieing it to SELinux (as far as I am concerned) reduces it to a previously unsolved problem. :-) But that's different from opting it on by default for non-SELinux users. To which I can only say, "Please, No." - Ted
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.