From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4C9C8C6FA89 for ; Thu, 15 Sep 2022 14:55:03 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230351AbiIOOzB (ORCPT ); Thu, 15 Sep 2022 10:55:01 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59200 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230342AbiIOOy6 (ORCPT ); Thu, 15 Sep 2022 10:54:58 -0400 Received: from smtp-relay-canonical-0.canonical.com (smtp-relay-canonical-0.canonical.com [185.125.188.120]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6FF345018D; Thu, 15 Sep 2022 07:54:56 -0700 (PDT) Received: from [172.17.1.114] (unknown [193.120.40.250]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-canonical-0.canonical.com (Postfix) with ESMTPSA id 574673F128; Thu, 15 Sep 2022 14:54:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1663253693; bh=81NzM8N/F8DDJNH7+mZmKwLuSEF8xIuC+0pmVGXrHGg=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=JWRoNwSiQiVs7J93OTO2WAKzx5J0l3F/YbHSkMcbGZGNLaVqk9rPKkRYh68QbalOW XItgf0jWXg4mitJFXGX8CqBWVnZEH6U6pc5IyxaWZ6178SsEkw12ww0RU5ebTMsxqP VcEzUVvOU6hn1kaulTPGPMsc7hj5VfZj6MsbWstxpgevySKSUQdzIZTwC3Ki6WCgdu qlvt6F41x7hEN9patGYHW2G+22lufWoE2PT+j3mf9vgJlErVER/TfwNgEZR5J3YIqy 7Sgp3YNzW0EjykwZr9vzCQtZL1Z8qiZSJPgjGWRc3MbLA17gdUgg8lnwsU4qZ59r7E sOu0Zy56iihrg== Message-ID: <9175fe91-8b5c-6715-940d-dddfd1f42131@canonical.com> Date: Thu, 15 Sep 2022 07:54:52 -0700 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.11.0 Subject: Re: LSM stacking in next for 6.1? Content-Language: en-US To: Tetsuo Handa , Casey Schaufler , Paul Moore Cc: LSM List , James Morris , linux-audit@redhat.com, Mimi Zohar , keescook@chromium.org, SElinux list References: <791e13b5-bebd-12fc-53de-e9a86df23836.ref@schaufler-ca.com> <1958a0d3-c4fb-0661-b516-93f8955cdb95@schaufler-ca.com> <6552af17-e511-a7d8-f462-cafcf41a33bb@schaufler-ca.com> <5ef4a1ae-e92c-ca77-7089-2efe1d4c4e6d@schaufler-ca.com> <1a9f9182-9188-2f64-4a17-ead2fed70348@schaufler-ca.com> <2225aec6-f0f3-d38e-ee3c-6139a7c25a37@I-love.SAKURA.ne.jp> <7f9ffd77-a329-ab13-857b-f8e34b2bfc77@schaufler-ca.com> From: John Johansen Organization: Canonical In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org On 9/15/22 07:27, Tetsuo Handa wrote: > On 2022/09/15 0:50, Casey Schaufler wrote: >> On 9/14/2022 6:57 AM, Tetsuo Handa wrote: >>> Please distinguish the difference between "enable" and "support" at >>> https://bugzilla.redhat.com/show_bug.cgi?id=542986#c7 . (By the way, >>> I hate the word "support", for nobody can share agreed definition.) >>> >>> "enable" is something like "available", "allow to exist". >>> >>> "support" is something like "guaranteed", "provide efforts for fixing bugs". >>> >>> However, in the Red Hat's world, "enable" == "support". The kernel config options >>> enabled by Red Hat is supported by Red Hat, and the kernel config options Red Hat >>> cannot support cannot be enabled by Red Hat. >> >> The "enable" == "support" model in consistent with the expectations of >> paying customers. > > Regarding CONFIG_MODULES=y, > "Vendor-A enables module-A" == "Vendor-A provides support for module-A" and > "Vendor-B enables module-B" == "Vendor-B provides support for module-B". > > Regarding CONFIG_SECURITY=y (namely in the RH world), > "Distributor-A enables LSM-A" == "Distributor-A provides support for LSM-A". > However, "Distributor-A does not enable LSM-B" == "Some vendor is impossible to > provide support for LSM-B". > > "Distributor-A does not enable module-B" == "Distributor-A is not responsible for > providing support for module-B" and "Vendor-B enables LSM-B" == "Vendor-B provides > support for LSM-B" are what I expect. > > Current LSM interface does not allow LSM-B to exist in Distributor-A's systems. > The "enable" == "support" model should be allowed for LSM interface as well. > What a strange asymmetry rule! > > > >>> On the contrary, in the vanilla kernel's world, the in-tree version of TOMOYO >>> cannot be built as a loadable module LSM. And it is impossible to built TOMOYO >>> as a loadable module LSM (so that TOMOYO can be used without the "support" by >>> Red Hat). As a result, users cannot try LSMs (either in-tree or out-of-tree) >>> other than SELinux. >> >> That is correct. Redhat has chosen to support only SELinux. If you want >> TOMOYO to be enabled in a distribution you need to sell the value to a >> distributor (really, really hard) Or (not recommended) become one yourself. > > What I'm asking is "allow non-SELinux to exist in RH systems". > I'm not asking RH to "provide efforts for fixing non-SELinux". > Being able to build in-tree version of TOMOYO via "make M=security/tomoyo" > releases RH from the "enable" == "support" spell. > I am sympathetic, I want this too. But RH choices are not a technical problem, they could easily enable and not support other LSMs (eg. Ubuntu does). It is a political problem and I don't see loadable LSMs changing this. From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 178D3ECAAA1 for ; Thu, 15 Sep 2022 14:57:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1663253831; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=iQ0KvG4xllTAZOaIy5mZDvCEh2iLyOPL/JnhNywFNuY=; b=X4Z9rfCWV+v+17A37muXdeJC/FPsRJa9Bj5wwAtO4EQ0r+yNvbSQpbHvP+S73//Nf7saC3 G0ajB193XzHKE187zp4RKAbCnvf96oFphFvUmA7HjHWlC/QmPhwpUYI/ZCgF4GHFGGnY03 zmnobXoLxf78QlZvROCsKBPQdesgV5g= Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-332-Nhtrkf6_OqyFjCCpTPO-aA-1; Thu, 15 Sep 2022 10:57:08 -0400 X-MC-Unique: Nhtrkf6_OqyFjCCpTPO-aA-1 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com [10.11.54.5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 5087C384C6CA; Thu, 15 Sep 2022 14:57:07 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (unknown [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id C88E910EB8; Thu, 15 Sep 2022 14:57:04 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 8F5B11946587; Thu, 15 Sep 2022 14:57:04 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com [10.11.54.5]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 381631946586 for ; Thu, 15 Sep 2022 14:54:58 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id 1DAED10EB8; Thu, 15 Sep 2022 14:54:58 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast05.extmail.prod.ext.rdu2.redhat.com [10.11.55.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 1A01818ECC for ; Thu, 15 Sep 2022 14:54:58 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-1.mimecast.com [205.139.110.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id F397B8828C1 for ; Thu, 15 Sep 2022 14:54:57 +0000 (UTC) Received: from smtp-relay-canonical-0.canonical.com (smtp-relay-canonical-0.canonical.com [185.125.188.120]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_128_GCM_SHA256) id us-mta-108-FNarCQ3xPR6wjNqC7yY9Sw-1; Thu, 15 Sep 2022 10:54:56 -0400 X-MC-Unique: FNarCQ3xPR6wjNqC7yY9Sw-1 Received: from [172.17.1.114] (unknown [193.120.40.250]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-canonical-0.canonical.com (Postfix) with ESMTPSA id 574673F128; Thu, 15 Sep 2022 14:54:53 +0000 (UTC) Message-ID: <9175fe91-8b5c-6715-940d-dddfd1f42131@canonical.com> Date: Thu, 15 Sep 2022 07:54:52 -0700 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.11.0 Subject: Re: LSM stacking in next for 6.1? To: Tetsuo Handa , Casey Schaufler , Paul Moore References: <791e13b5-bebd-12fc-53de-e9a86df23836.ref@schaufler-ca.com> <1958a0d3-c4fb-0661-b516-93f8955cdb95@schaufler-ca.com> <6552af17-e511-a7d8-f462-cafcf41a33bb@schaufler-ca.com> <5ef4a1ae-e92c-ca77-7089-2efe1d4c4e6d@schaufler-ca.com> <1a9f9182-9188-2f64-4a17-ead2fed70348@schaufler-ca.com> <2225aec6-f0f3-d38e-ee3c-6139a7c25a37@I-love.SAKURA.ne.jp> <7f9ffd77-a329-ab13-857b-f8e34b2bfc77@schaufler-ca.com> From: John Johansen Organization: Canonical In-Reply-To: X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 3.1 on 10.11.54.5 X-Mailman-Approved-At: Thu, 15 Sep 2022 14:57:02 +0000 X-BeenThere: linux-audit@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux Audit Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: SElinux list , James Morris , Mimi Zohar , LSM List , linux-audit@redhat.com Errors-To: linux-audit-bounces@redhat.com Sender: "Linux-audit" X-Scanned-By: MIMEDefang 3.1 on 10.11.54.5 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Language: en-US Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" On 9/15/22 07:27, Tetsuo Handa wrote: > On 2022/09/15 0:50, Casey Schaufler wrote: >> On 9/14/2022 6:57 AM, Tetsuo Handa wrote: >>> Please distinguish the difference between "enable" and "support" at >>> https://bugzilla.redhat.com/show_bug.cgi?id=542986#c7 . (By the way, >>> I hate the word "support", for nobody can share agreed definition.) >>> >>> "enable" is something like "available", "allow to exist". >>> >>> "support" is something like "guaranteed", "provide efforts for fixing bugs". >>> >>> However, in the Red Hat's world, "enable" == "support". The kernel config options >>> enabled by Red Hat is supported by Red Hat, and the kernel config options Red Hat >>> cannot support cannot be enabled by Red Hat. >> >> The "enable" == "support" model in consistent with the expectations of >> paying customers. > > Regarding CONFIG_MODULES=y, > "Vendor-A enables module-A" == "Vendor-A provides support for module-A" and > "Vendor-B enables module-B" == "Vendor-B provides support for module-B". > > Regarding CONFIG_SECURITY=y (namely in the RH world), > "Distributor-A enables LSM-A" == "Distributor-A provides support for LSM-A". > However, "Distributor-A does not enable LSM-B" == "Some vendor is impossible to > provide support for LSM-B". > > "Distributor-A does not enable module-B" == "Distributor-A is not responsible for > providing support for module-B" and "Vendor-B enables LSM-B" == "Vendor-B provides > support for LSM-B" are what I expect. > > Current LSM interface does not allow LSM-B to exist in Distributor-A's systems. > The "enable" == "support" model should be allowed for LSM interface as well. > What a strange asymmetry rule! > > > >>> On the contrary, in the vanilla kernel's world, the in-tree version of TOMOYO >>> cannot be built as a loadable module LSM. And it is impossible to built TOMOYO >>> as a loadable module LSM (so that TOMOYO can be used without the "support" by >>> Red Hat). As a result, users cannot try LSMs (either in-tree or out-of-tree) >>> other than SELinux. >> >> That is correct. Redhat has chosen to support only SELinux. If you want >> TOMOYO to be enabled in a distribution you need to sell the value to a >> distributor (really, really hard) Or (not recommended) become one yourself. > > What I'm asking is "allow non-SELinux to exist in RH systems". > I'm not asking RH to "provide efforts for fixing non-SELinux". > Being able to build in-tree version of TOMOYO via "make M=security/tomoyo" > releases RH from the "enable" == "support" spell. > I am sympathetic, I want this too. But RH choices are not a technical problem, they could easily enable and not support other LSMs (eg. Ubuntu does). It is a political problem and I don't see loadable LSMs changing this. -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit