On 2019/03/22 1:38, Kees Cook wrote: > This is mostly good. I'd like to keep the other LSMs listed though > (similar to what I had originally) so that if a legacy-major doesn't > initialize, later ones will be. I want to remove the concept of > "major" LSMs. The only thing that should matter is init order...
Excuse me? Are you saying that if a legacy-major (which is defined as the "Default security module") doesn't initialize, later ones (any of selinux,smack,tomoyo,apparmor except the one which is defined as "Default security module") will be initialized ? That sounds strange to me. Any of selinux,smack,tomoyo,apparmor can be initialized when specified by lsm= kernel command line option (or security= kernel command line option if lsm= kernel command line option is not specified), won't it?
