* [PATCH -rt] panic on SLIM + selinux
@ 2006-12-30 15:48 Daniel Walker
2006-12-30 15:53 ` Should be [PATCH -mm] -- " Daniel Walker
0 siblings, 1 reply; 5+ messages in thread
From: Daniel Walker @ 2006-12-30 15:48 UTC (permalink / raw)
To: akpm; +Cc: linux-kernel, Mimi Zohar, Kylene Hall
If you have both SLIM and selinux compiled into your kernel selinux will panic
if it can't register itself. The code below,
if (register_security (&selinux_ops))
panic("SELinux: Unable to register with kernel.\n");
"security/selinux/hooks.c" 5014 lines --95%-- 4811,35 96%
This could be a bug report cause I bet there's a better way to make these mutually
exclusive.
Signed-Off-By: Daniel Walker <dwalker@mvista.com>
---
security/slim/Kconfig | 2 +-
1 files changed, 1 insertion(+), 1 deletion(-)
Index: linux-2.6.19/security/slim/Kconfig
===================================================================
--- linux-2.6.19.orig/security/slim/Kconfig
+++ linux-2.6.19/security/slim/Kconfig
@@ -1,6 +1,6 @@
config SECURITY_SLIM
boolean "SLIM support"
- depends on SECURITY && SECURITY_NETWORK && INTEGRITY
+ depends on SECURITY && SECURITY_NETWORK && INTEGRITY && !SECURITY_SELINUX
help
The Simple Linux Integrity Module implements a modified low water-mark
mandatory access control integrity model.
--
^ permalink raw reply [flat|nested] 5+ messages in thread
* Should be [PATCH -mm] -- Re: [PATCH -rt] panic on SLIM + selinux
2006-12-30 15:48 [PATCH -rt] panic on SLIM + selinux Daniel Walker
@ 2006-12-30 15:53 ` Daniel Walker
2007-01-02 18:05 ` Mimi Zohar
0 siblings, 1 reply; 5+ messages in thread
From: Daniel Walker @ 2006-12-30 15:53 UTC (permalink / raw)
To: akpm; +Cc: linux-kernel, Mimi Zohar, Kylene Hall
Sorry, really for -mm .
On Sat, 2006-12-30 at 07:48 -0800, Daniel Walker wrote:
> If you have both SLIM and selinux compiled into your kernel selinux will panic
> if it can't register itself. The code below,
>
> if (register_security (&selinux_ops))
> panic("SELinux: Unable to register with kernel.\n");
>
> "security/selinux/hooks.c" 5014 lines --95%-- 4811,35 96%
>
> This could be a bug report cause I bet there's a better way to make these mutually
> exclusive.
>
> Signed-Off-By: Daniel Walker <dwalker@mvista.com>
>
> ---
> security/slim/Kconfig | 2 +-
> 1 files changed, 1 insertion(+), 1 deletion(-)
>
> Index: linux-2.6.19/security/slim/Kconfig
> ===================================================================
> --- linux-2.6.19.orig/security/slim/Kconfig
> +++ linux-2.6.19/security/slim/Kconfig
> @@ -1,6 +1,6 @@
> config SECURITY_SLIM
> boolean "SLIM support"
> - depends on SECURITY && SECURITY_NETWORK && INTEGRITY
> + depends on SECURITY && SECURITY_NETWORK && INTEGRITY && !SECURITY_SELINUX
> help
> The Simple Linux Integrity Module implements a modified low water-mark
> mandatory access control integrity model.
> --
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Should be [PATCH -mm] -- Re: [PATCH -rt] panic on SLIM + selinux
2006-12-30 15:53 ` Should be [PATCH -mm] -- " Daniel Walker
@ 2007-01-02 18:05 ` Mimi Zohar
2007-01-02 19:01 ` Daniel Walker
2007-01-02 21:40 ` Serge E. Hallyn
0 siblings, 2 replies; 5+ messages in thread
From: Mimi Zohar @ 2007-01-02 18:05 UTC (permalink / raw)
To: Daniel Walker; +Cc: akpm, kjhall, linux-kernel
Being able to compile both SELinux and SLIM into the kernel was done
intentionally. The kernel parameters 'selinux' and 'slim' can enable
or disable the LSM module at boot. Perhaps, for the time being, the
SECURITY_SLIM_BOOTPARAM_VALUE should default to 0.
Mimi
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Should be [PATCH -mm] -- Re: [PATCH -rt] panic on SLIM + selinux
2007-01-02 18:05 ` Mimi Zohar
@ 2007-01-02 19:01 ` Daniel Walker
2007-01-02 21:40 ` Serge E. Hallyn
1 sibling, 0 replies; 5+ messages in thread
From: Daniel Walker @ 2007-01-02 19:01 UTC (permalink / raw)
To: Mimi Zohar; +Cc: akpm, kjhall, linux-kernel
On Tue, 2007-01-02 at 13:05 -0500, Mimi Zohar wrote:
> Being able to compile both SELinux and SLIM into the kernel was done
> intentionally. The kernel parameters 'selinux' and 'slim' can enable
> or disable the LSM module at boot. Perhaps, for the time being, the
> SECURITY_SLIM_BOOTPARAM_VALUE should default to 0.
They currently don't play nice together, i.e. the kernel panics with
both compiled in together and default settings. So something needs to
change..
Daniel
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Should be [PATCH -mm] -- Re: [PATCH -rt] panic on SLIM + selinux
2007-01-02 18:05 ` Mimi Zohar
2007-01-02 19:01 ` Daniel Walker
@ 2007-01-02 21:40 ` Serge E. Hallyn
1 sibling, 0 replies; 5+ messages in thread
From: Serge E. Hallyn @ 2007-01-02 21:40 UTC (permalink / raw)
To: Mimi Zohar; +Cc: Daniel Walker, akpm, kjhall, linux-kernel, Stephen Smalley
Quoting Mimi Zohar (zohar@us.ibm.com):
> Being able to compile both SELinux and SLIM into the kernel was done
> intentionally.
Intentionally so that you can switch back and forth for testing?
> The kernel parameters 'selinux' and 'slim' can enable
> or disable the LSM module at boot. Perhaps, for the time being, the
> SECURITY_SLIM_BOOTPARAM_VALUE should default to 0.
That should solve the problem for most people. People wanting to
test with slim will still have to specify 'selinux=0' or get the
boot failure. But I suspect that having selinux automatically
not load when slim is loaded will be considered too unsafe?
Mimi, what about moving slim down below selinux in the Makefile,
and having slim refuse to load if security_ops is not an _ops you
know about (i.e. dummy_ops or capability_ops)? Then you can leave
SECURITY_SLIM_BOOTPARAM_VALUE as 1, and users just have to say
'selinux=0' to boot slim? Just a thought, maybe less intuitive...
-serge
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2007-01-02 21:40 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2006-12-30 15:48 [PATCH -rt] panic on SLIM + selinux Daniel Walker
2006-12-30 15:53 ` Should be [PATCH -mm] -- " Daniel Walker
2007-01-02 18:05 ` Mimi Zohar
2007-01-02 19:01 ` Daniel Walker
2007-01-02 21:40 ` Serge E. Hallyn
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.