On Fri, 22 Mar 2002 22:11, Valdis.Kletnieksat_private wrote: > > Since secure-systems are a minority of installed systems, and the LSM > > code works exceptionally well with a common-patch, why should this patch > > enter into the "official" code tree for Linux and not simply track it as > > a shared resource for secure-system developers, developed outside the > > 'stock kernel' tree? > > " > > s/secure-systems/multiprocessor/ > s/secure-systems/over 2G RAM/ > s/secure-systems/have RAID/ > s/secure-systems/have Gigabit ethernet/ > s/secure-systems/need disk quotas/ > s/secure-systems/non-x86 CPU/ > > You get the idea.... That is one issue. However that is not all that's needed. LSM can be turned off if you don't want it. It's not like a new VM system, it's not going to cause anyone problems if they don't want it. LSM is a fairly significant patch. Any other patch that does anything significant with ACLs, file systems, networking, or kernel debugging can be expected to not apply cleanly when LSM is applied. It causes inconveniance to me that I can't use XFS and LSM. When LSM enters the main kernel tree all the patches will be made to apply against it and things will be much easier. OTOH if XFS, kdb, and kgdb were put in the main kernel tree it would solve this problem just as well for me. But LSM is significantlymore mainstream than kdb and kgdb, and there's probably more demand for it than for XFS (we've got quite a number of file systems in the kernel already). Now there's the sales angle. Once we get LSM into the main kernel people who promote Linux can talk about it's advanced security. In terms of security features in the OS it can currently be claimed that Linux lacks behind NT (we have no ACLs). With LSM we will be way ahead. Some people will choose Linux over NT for this (and we do want world domaination). Finally there's the debugging issue. Tracking down certain types of bugs in daemons is easier with SE Linux. I have already submitted a patch for a bug in devfsd and a patch for a bug in libnss-ldap that I discovered through using SE Linux. If you want to trace strange stuff that's going on then LSM provides some hooks that can really help. -- If you send email to me or to a mailing list that I use which has >4 lines of legalistic junk at the end then you are specifically authorizing me to do whatever I wish with the message and all other messages from your domain, by posting the message you agree that your long legalistic sig is void. _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Fri Mar 22 2002 - 13:50:03 PST