* Stephen Smalley (sds@private) wrote: > On Fri, 2005-08-26 at 09:22 -0700, Chris Wright wrote: > > I left it for two reasons. Making it built-in will mean you can't > > load another security module. > > CONFIG_SECURITY=n achieves the same effect. Yup, agreed (and if we could reduce performance impact that config could go away ;-) > > Some distros use the module already, so > > it's compatibility. > > I'd assume that they only do that so that they can load something else > as primary, and then optionally stack capability under it. Which they > can still achieve (just by modifying their primary to use the commoncap > functions directly). No, they do it because they want capabilities, but for some strange reason prefer to do everythign with modules. > > These aren't the best reasons to keep it long term. > > Yes, it seems confusing to leave it. I can easily see people leaving it > enabled as long as it remains without realizing that it is no longer > serving any purpose. And it will definitely kick out an error message > if you leave SELinux+capability enabled together due to the failed > registration. True. I'd prefer to have the whole of capabilities to simply be default functionality always enabled. Leaving it in there is not required for that.
This archive was generated by hypermail 2.1.3 : Fri Aug 26 2005 - 10:07:17 PDT