On Mon, Oct 31, 2005 at 09:02:03AM -0600, Manoj Srivastava wrote: > On Mon, 31 Oct 2005 11:06:16 +0900, Horms <[EMAIL PROTECTED]> said: > > This is a problem that was recently discussed on debian-kernel > > without resolution. My understanding is that there are some security > > implications of making SECURITY_CAPABILITIES modular. > > It is my understanding that SELinux does require > SECURITY_CAPABILITIES in order to function. Not having those > available before the root file system is loaded would make the early > boot process unprotected and vulnerable, an may cause havoc with the > startup (I do not know, since I have never tried an SELinux kernel > without SECURITY_CAPABILITIES compiled in). > > Gory details behind my understanding follow.
[snip] Thanks, much apreciated. It seems that we are stuck with having SECURITY_CAPABILITIES=y. And as we know, that completely breaks modular LSM. I think this is something we have to live with unless LSM can be integraded upstream. -- Horms -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
