Preferred subj= with multiple LSMs

Casey Schaufler casey at schaufler-ca.com
Fri Jul 12 16:33:55 UTC 2019


Which of these options would be preferred for audit records
when there are multiple active security modules? I'm not asking
if we should do it, I'm asking which of these options I should
implement when I do do it. I've prototyped #1 and #2. #4 is a
minor variant of #1 that is either better for compatibility or
worse, depending on how you want to look at it. I understand
that each of these offer challenges. If I've missed something
obvious, I'd be delighted to consider #5.

Thank you.

Option 1:

	subj=selinux='x:y:z:s:c',apparmor='a'

Option 2:

	subj=x:y:z:s:c subj=a

Option 3:

	lsms=selinux,apparmor subj=x:y:z:s:c subj=a

Option 4:

	subjs=selinux='x:y:z:s:c',apparmor='a'

Option 5:

	Something else.





More information about the Linux-security-module-archive mailing list