On Tue, Nov 28, 2017 at 11:32 AM, Theodore Ts'o [off-list ref] wrote:

On Tue, Nov 28, 2017 at 01:16:59PM +0100, Geo Kozey wrote:

quoted

Userspace can be configured in a way which is compatible with those
changes being on the same as it can be configured to work with
selinux. That means on distro level or sysadmin level it's a
valuable tool. It's better than nothing and it's better than using
some out-of-tree patches instead. Switching one sysctl would make
their life easier.

If *selinux* can opt-in to something more stringent, such that when
you upgrade to a new version of selinux which enables something which
breaks all modules unless you set up the rules corretly, I don't see a
problem with it.  It might force distributions not to go to the latest
version of SELinux because users get cranky when their systems get
broken, but for people like me, who *still* don't use SELinux because
every few years, i try to enable on my development laptop running
Debian, watch ***far*** too much stuff break. and then turn it off
again.  So tieing it to SELinux (as far as I am concerned) reduces it to
a previously unsolved problem.  :-)

But that's different from opting it on by default for non-SELinux
users.  To which I can only say, "Please, No."

I don't want to see this tied to SELinux because it narrows the
audience, and SELinux still hasn't solved their issues in containers.
I think the per-task setting is sufficient.

Linus, are you okay with this series if the global sysctl gets dropped?

-Kees

-- 
Kees Cook
Pixel Security
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html