Bug 442245 - Can't register LSM other than SELinux
Summary: Can't register LSM other than SELinux
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: kernel   
(Show other bugs)
Version: 5.0
Hardware: All
OS: Linux
Target Milestone: rc
: ---
Assignee: Eric Paris
QA Contact: Martin Jenner
Depends On:
TreeView+ depends on / blocked
Reported: 2008-04-13 11:01 UTC by Donato
Modified: 2008-06-16 21:44 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-06-16 21:44:08 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Donato 2008-04-13 11:01:42 UTC
Description of problem:
I'm developing a Linux Security Module. When I try to load the module,
registering fails and SELinux complies that there's already a secondary module
active and won't let me stack my module. If I totally disable SELinux, The
system goes on and doesn't allow my to register my security module as neither as
primary or secondary. This has to be fixed, people should be allowed to load
security modules other than SELinux.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Write a basic module using the Linux Security Module API
2. Try to load ii into the kernel 
Actual results:
It won't be loaded; nor as a primary neither as a secondary module

Expected results:
The module should be loaded correctly and being alloed to enforce its policy on
the system.

Additional info:

Comment 1 Eric Paris 2008-04-24 18:25:31 UTC
SELinux only supports capabilities.  Period.  End of Story.  Will not change. 
Module stacking will not be implemented.

You may wish to look at the following patch which was implemented upstream to
allow for user selection of SMACK vs. SELinux


I want to remove the whole concept of 'secondary' modules as a general idea
since the ONLY module supported is capabilities why not just have everything
hook directly into capabilities and stop pretending that other secondary modules
are possible....

I see no bug here.  do whatever SMACK does.

Comment 2 Eric Paris 2008-06-16 21:44:08 UTC
Closing as not a bug for now.  If you better explain the issue I might be able
to help.

Note You need to log in before you can comment on or make changes to this bug.