Re: realtime-lsm and Debian kernel
On Fri, Oct 14, 2005 at 05:02:54PM +0200, geiger@xdv.org wrote:
> Quoting Horms <horms@debian.org>:
>
> > On Tue, Oct 11, 2005 at 01:27:27PM +0200, Christoph Hellwig wrote:
> > > On Tue, Oct 11, 2005 at 06:24:20AM -0500, Geiger Guenter wrote:
> > > > This means that it has to be dropped. Thats ok with me, it means less
> > > > work. What was the reason again for not including the capabilities as
> > > > a module ?
> > >
> > > Making Security modules actually modular means they don't have the full
> > > view of the process and generally is a bad idea. For the specific case
> > > of capabilities there even was an exploit in the past. If we want to
> > > support a given security module in debian we should compile it into the
> > > kernel statically.
> >
> > If I recall, lsm wasn't well recieved upstream, in which case
> > dropping it is probably a good idea anyway.
>
> Yes its true that it wasn't accepted upstream, but it is, security wise,
> still the best solution to gain the necessary realtime permissions for audio
> work. That's the main reason why I don't want to throw it away without a
> thought. If I understand correctly the modular approach would be acceptable if
> the capabilities module would not be removable.
> I think this should be achievable.
Can you talk this over with the SE linux guys and see what they think.
It sounds like this primarily a config problem, though there might
need to be some kernel updates to make the SE people happy.
--
Horms
Reply to: