Bug 442245 - Can't register LSM other than SELinux
Summary: Can't register LSM other than SELinux
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: kernel
Version: 5.0
Hardware: All
OS: Linux
low
medium
Target Milestone: rc
: ---
Assignee: Eric Paris
QA Contact: Martin Jenner
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-04-13 11:01 UTC by Donato
Modified: 2008-06-16 21:44 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-06-16 21:44:08 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Donato 2008-04-13 11:01:42 UTC
Description of problem:
I'm developing a Linux Security Module. When I try to load the module,
registering fails and SELinux complies that there's already a secondary module
active and won't let me stack my module. If I totally disable SELinux, The
system goes on and doesn't allow my to register my security module as neither as
primary or secondary. This has to be fixed, people should be allowed to load
security modules other than SELinux.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Write a basic module using the Linux Security Module API
2. Try to load ii into the kernel 
  
Actual results:
It won't be loaded; nor as a primary neither as a secondary module

Expected results:
The module should be loaded correctly and being alloed to enforce its policy on
the system.

Additional info:

Comment 1 Eric Paris 2008-04-24 18:25:31 UTC
SELinux only supports capabilities.  Period.  End of Story.  Will not change. 
Module stacking will not be implemented.

You may wish to look at the following patch which was implemented upstream to
allow for user selection of SMACK vs. SELinux

http://lwn.net/Articles/272585/

I want to remove the whole concept of 'secondary' modules as a general idea
since the ONLY module supported is capabilities why not just have everything
hook directly into capabilities and stop pretending that other secondary modules
are possible....


I see no bug here.  do whatever SMACK does.

Comment 2 Eric Paris 2008-06-16 21:44:08 UTC
Closing as not a bug for now.  If you better explain the issue I might be able
to help.


Note You need to log in before you can comment on or make changes to this bug.