[RFC PATCH 2/2] security: Add mechanism to (un)load LSMs after boot time

Paul Moore paul at paul-moore.com
Tue Mar 27 11:52:31 UTC 2018


On Tue, Mar 27, 2018 at 4:08 AM, James Morris <jmorris at namei.org> wrote:
> On Mon, 26 Mar 2018, Sargun Dhillon wrote:
>> Today, the only "mutable" module we have is SELinux. It has a kernel
>> config flag which determines if it is unloadable (mutable) or not. If
>> you look at the patchset, it, in fact, sets mutability based on that
>> config flag:
>>
>>
>> -       security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux");
>> +       security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux",
>> +                               IS_ENABLED(CONFIG_SECURITY_SELINUX_DISABLE));
>
> There has been discussion about removing the ability to unload SELinux --
> not sure what the current status of that is.

It is something I would still like to do, but there is some work that
needs to be done to allow a smooth transition for those people who are
currently disabling/unloading SELinux at runtime.

-- 
paul moore
www.paul-moore.com
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html



More information about the Linux-security-module-archive mailing list