TOMOYO's pull request for v6.12
Tetsuo Handa
penguin-kernel at I-love.SAKURA.ne.jp
Fri Oct 4 10:50:05 UTC 2024
On 2024/10/04 1:29, Serge E. Hallyn wrote:
> Well, this didn't occur to me last night, but what I'd be curious to
> hear is whether Tetsuo has discussed this with RedHat. Because unless
> this makes them say "ok we'll enable that", it still doesn't help him.
> And I don't imagine them agreeing to enable the CONFIG_TOMOYO_LKM.
Majority of Linux users I work for are using Red Hat. But I have absolutely
too little relationship with Red Hat people to involve somebody else into
this problem. Too little attention/interest to make progress.
https://bugzilla.redhat.com/show_bug.cgi?id=2303689
Chicken-and-egg problem here; since TOMOYO is not available in Red Hat
kernels, I have no room/chance to help/involve with Red Hat community.
If I implement a subset of TOMOYO that does not refuse requests (something
like SELinux without the "enforcing mode"), can such LSM module be accepted
by the upstream kernel? (The "patent examination" is a barrier for doing it.)
You might think that such LSM module is not a security. But TOMOYO is
also used as a sort of system-wide strace-like profiler. Understanding
what the users' systems are doing is useful/helpful for users.
If one of Red Hat's worries that refusing requests due to broken policy is
gone, the barrier for enabling such LSM module in Red Hat's kernels will be
lowered. If such LSM module becomes available in Red Hat kernels, I might be
able to find room/chance to help/involve with Red Hat community.
More information about the Linux-security-module-archive
mailing list