Bug 442245 - Can't register LSM other than SELinux
Can't register LSM other than SELinux
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: kernel (Show other bugs)
5.0
All Linux
low Severity medium
: rc
: ---
Assigned To: Eric Paris
Martin Jenner
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-04-13 07:01 EDT by Donato
Modified: 2008-06-16 17:44 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-06-16 17:44:08 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Donato 2008-04-13 07:01:42 EDT
Description of problem:
I'm developing a Linux Security Module. When I try to load the module,
registering fails and SELinux complies that there's already a secondary module
active and won't let me stack my module. If I totally disable SELinux, The
system goes on and doesn't allow my to register my security module as neither as
primary or secondary. This has to be fixed, people should be allowed to load
security modules other than SELinux.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Write a basic module using the Linux Security Module API
2. Try to load ii into the kernel 
  
Actual results:
It won't be loaded; nor as a primary neither as a secondary module

Expected results:
The module should be loaded correctly and being alloed to enforce its policy on
the system.

Additional info:
Comment 1 Eric Paris 2008-04-24 14:25:31 EDT
SELinux only supports capabilities.  Period.  End of Story.  Will not change. 
Module stacking will not be implemented.

You may wish to look at the following patch which was implemented upstream to
allow for user selection of SMACK vs. SELinux

http://lwn.net/Articles/272585/

I want to remove the whole concept of 'secondary' modules as a general idea
since the ONLY module supported is capabilities why not just have everything
hook directly into capabilities and stop pretending that other secondary modules
are possible....


I see no bug here.  do whatever SMACK does.
Comment 2 Eric Paris 2008-06-16 17:44:08 EDT
Closing as not a bug for now.  If you better explain the issue I might be able
to help.

Note You need to log in before you can comment on or make changes to this bug.