Bug#336452: realtime-lsm-source does not build against the linux-image-2.6.14-1-k7
On Tue, Nov 01, 2005 at 11:33:15AM +0900, Horms wrote:
> On Mon, Oct 31, 2005 at 09:02:03AM -0600, Manoj Srivastava wrote:
> > On Mon, 31 Oct 2005 11:06:16 +0900, Horms <horms@debian.org> said:
> > > This is a problem that was recently discussed on debian-kernel
> > > without resolution. My understanding is that there are some security
> > > implications of making SECURITY_CAPABILITIES modular.
> >
> > It is my understanding that SELinux does require
> > SECURITY_CAPABILITIES in order to function. Not having those
> > available before the root file system is loaded would make the early
> > boot process unprotected and vulnerable, an may cause havoc with the
> > startup (I do not know, since I have never tried an SELinux kernel
> > without SECURITY_CAPABILITIES compiled in).
> >
> > Gory details behind my understanding follow.
>
> [snip]
>
> Thanks, much apreciated.
>
> It seems that we are stuck with having SECURITY_CAPABILITIES=y.
> And as we know, that completely breaks modular LSM.
>
> I think this is something we have to live with unless LSM
> can be integraded upstream.
What is left to understand is why this breaks modular LSM ? It seems to me a
bug in LSM and all future reports should be redirected to LSM.
Friendly,
Sven Luther
Reply to: