Bug#336452: realtime-lsm-source does not build against the linux-image-2.6.14-1-k7
On Mon, Oct 31, 2005 at 09:02:03AM -0600, Manoj Srivastava wrote:
> On Mon, 31 Oct 2005 11:06:16 +0900, Horms <horms@debian.org> said:
> > This is a problem that was recently discussed on debian-kernel
> > without resolution. My understanding is that there are some security
> > implications of making SECURITY_CAPABILITIES modular.
>
> It is my understanding that SELinux does require
> SECURITY_CAPABILITIES in order to function. Not having those
> available before the root file system is loaded would make the early
> boot process unprotected and vulnerable, an may cause havoc with the
> startup (I do not know, since I have never tried an SELinux kernel
> without SECURITY_CAPABILITIES compiled in).
>
> Gory details behind my understanding follow.
[snip]
Thanks, much apreciated.
It seems that we are stuck with having SECURITY_CAPABILITIES=y.
And as we know, that completely breaks modular LSM.
I think this is something we have to live with unless LSM
can be integraded upstream.
--
Horms
Reply to: