Bug 2303689
| Summary: | FutureFeature: Please enable TOMOYO Linux security module (#2) | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Tetsuo Handa <penguin-kernel> |
| Component: | kernel | Assignee: | Kernel Maintainer List <kernel-maint> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | low | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | rawhide | CC: | acaringi, adscvr, airlied, alciregi, bskeggs, hdegoede, hpa, ikent, josef, kernel-maint, linville, masami256, mchehab, mtasaka, omosnacek, paul, penguin-kernel, ptalbert, steved, suraj.ghimire7, toracat |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2024-12-17 09:46:41 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Tetsuo Handa
2024-08-08 14:08:17 UTC
Hi Tetsuo, I agree that that there should be no problem with enabling TOMOYO in Fedora kernels as it stands. For example, Landlock is already enabled in Fedora even if it remains disabled in RHEL. The final decision is up to the Fedora/ARK kernel maintainers (Justin Forbes and Patrick Talbert), but I don't think they will object. The Fedora kernel is open for contributions at https://gitlab.com/cki-project/kernel-ark with the technicalities and process documented at https://cki-project.gitlab.io/kernel-ark/index.html. I'd suggest to go ahead and open a merge request to adjust the Fedora configs, which is likely to get a reaction from the maintainers faster. I think you should leave the CONFIG_LSM value unchanged, so that TOMOYO remains boot-time disabled by default (allowing users to override the lsm="..." boot param if they want to use TOMOYO), but perhaps a case can be made to enable it by default, even - not sure what are the implications of that with the current state of LSM infra and TOMOYO. I believe the kernel-ark diff below should do the trick. (Though I only sanity-tested it with `make dist-srpm`, nothing more.) diff --git a/redhat/configs/fedora/generic/CONFIG_DEFAULT_SECURITY_TOMOYO b/redhat/configs/fedora/generic/CONFIG_DEFAULT_SECURITY_TOMOYO new file mode 100644 index 0000000000000..d263a1a61d450 --- /dev/null +++ b/redhat/configs/fedora/generic/CONFIG_DEFAULT_SECURITY_TOMOYO @@ -0,0 +1 @@ +# CONFIG_DEFAULT_SECURITY_TOMOYO is not set diff --git a/redhat/configs/fedora/generic/CONFIG_SECURITY_TOMOYO b/redhat/configs/fedora/generic/CONFIG_SECURITY_TOMOYO new file mode 100644 index 0000000000000..e6f51d95d4717 --- /dev/null +++ b/redhat/configs/fedora/generic/CONFIG_SECURITY_TOMOYO @@ -0,0 +1 @@ +CONFIG_SECURITY_TOMOYO=y diff --git a/redhat/configs/fedora/generic/CONFIG_SECURITY_TOMOYO_ACTIVATION_TRIGGER b/redhat/configs/fedora/generic/CONFIG_SECURITY_TOMOYO_ACTIVATION_TRIGGER new file mode 100644 index 0000000000000..3b16051a555f2 --- /dev/null +++ b/redhat/configs/fedora/generic/CONFIG_SECURITY_TOMOYO_ACTIVATION_TRIGGER @@ -0,0 +1 @@ +CONFIG_SECURITY_TOMOYO_ACTIVATION_TRIGGER="/sbin/init" diff --git a/redhat/configs/fedora/generic/CONFIG_SECURITY_TOMOYO_INSECURE_BUILTIN_SETTING b/redhat/configs/fedora/generic/CONFIG_SECURITY_TOMOYO_INSECURE_BUILTIN_SETTING new file mode 100644 index 0000000000000..92223fef7c44a --- /dev/null +++ b/redhat/configs/fedora/generic/CONFIG_SECURITY_TOMOYO_INSECURE_BUILTIN_SETTING @@ -0,0 +1 @@ +# CONFIG_SECURITY_TOMOYO_INSECURE_BUILTIN_SETTING is not set diff --git a/redhat/configs/fedora/generic/CONFIG_SECURITY_TOMOYO_MAX_ACCEPT_ENTRY b/redhat/configs/fedora/generic/CONFIG_SECURITY_TOMOYO_MAX_ACCEPT_ENTRY new file mode 100644 index 0000000000000..bad144205fdbb --- /dev/null +++ b/redhat/configs/fedora/generic/CONFIG_SECURITY_TOMOYO_MAX_ACCEPT_ENTRY @@ -0,0 +1 @@ +CONFIG_SECURITY_TOMOYO_MAX_ACCEPT_ENTRY=2048 diff --git a/redhat/configs/fedora/generic/CONFIG_SECURITY_TOMOYO_MAX_AUDIT_LOG b/redhat/configs/fedora/generic/CONFIG_SECURITY_TOMOYO_MAX_AUDIT_LOG new file mode 100644 index 0000000000000..30348b5801aa6 --- /dev/null +++ b/redhat/configs/fedora/generic/CONFIG_SECURITY_TOMOYO_MAX_AUDIT_LOG @@ -0,0 +1 @@ +CONFIG_SECURITY_TOMOYO_MAX_AUDIT_LOG=1024 diff --git a/redhat/configs/fedora/generic/CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER b/redhat/configs/fedora/generic/CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER new file mode 100644 index 0000000000000..ca0f6f98f1719 --- /dev/null +++ b/redhat/configs/fedora/generic/CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER @@ -0,0 +1 @@ +# CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER is not set diff --git a/redhat/configs/fedora/generic/CONFIG_SECURITY_TOMOYO_POLICY_LOADER b/redhat/configs/fedora/generic/CONFIG_SECURITY_TOMOYO_POLICY_LOADER new file mode 100644 index 0000000000000..03e6d66e76108 --- /dev/null +++ b/redhat/configs/fedora/generic/CONFIG_SECURITY_TOMOYO_POLICY_LOADER @@ -0,0 +1 @@ +CONFIG_SECURITY_TOMOYO_POLICY_LOADER="/sbin/tomoyo-init" diff --git a/redhat/configs/common/generic/CONFIG_SECURITY_TOMOYO b/redhat/configs/rhel/generic/CONFIG_SECURITY_TOMOYO similarity index 100% rename from redhat/configs/common/generic/CONFIG_SECURITY_TOMOYO rename to redhat/configs/rhel/generic/CONFIG_SECURITY_TOMOYO Closing this bug, for TOMOYO LSM is now enabled in kernel-6.12.4-200.fc41.x86_64.rpm . Thank you. |