Re: Parallellizing the boot in Debian Squeeze - ready for wider testing

[Russell Coker <russell@coker.com.au>]

On Sunday 16 May 2010 03:35:09 Steve Langasek wrote:
> Given the difference in how kernels vs. init daemons are usually
> administered as part of a system, I think the runtime impact of supporting
> multiple LSMs in init is much more significant than supporting multiple
> LSMs in the kernel.  I don't think we want init to have shared lib deps
> for each of the available LSMs.

In the early days of LSM development there was the idea that LSM modules could 
be kernel modules, this idea was given up early on. The idea that modules 
could be "stacked" so that you could have multiple modules active at the same 
time (EG OpenWall /tmp protection as well as SE Linux) but that ended up not 
working well technically, so for ages it was only the Capability module that 
supported stacking.  A quick check of the dmesg on a testing system indicates 
that capability is not regarded as a separate module any more (or at least 
it's not in the dmesg).

The patch to the SysVInit for SE Linux is very small, it wouldn't be difficult 
to have support for a dozen such LSM modules with case statements.  Not that 
it would happen, the only LSM modules that are publicly available are SE 
Linux, Smack, AppArmor, and Tomoyo and I think that SE Linux is the only one 
that needs an init patch.