Re: Preferred subj= with multiple LSMs

Monday, 22 July 2019

On 7/22/2019 1:50 PM, James Morris wrote:
...
 On Fri, 19 Jul 2019, Paul Moore wrote:

>> We've never had to think about having general rules on
>> what security modules do before, because with only one
>> active each could do whatever it wanted without fear of
>> conflict. If there is already a character that none of
>> the existing modules use, how would it be wrong to
>> reserve it?
> "We've never had to think about having general rules on what security
> modules do before..."
>
> We famously haven't imposed restrictions on the label format before
> now, and this seems like a pretty poor reason to start.
 Agreed. 
In a follow on thread

https://www.spinics.net/lists/linux-security-module/msg29996.html

we've been discussing the needs of dbus-daemon in a multiple LSM
environment. I suggest that if supporting dbus well is assisted by
making reasonable restrictions on what constitutes a valid LSM
"context" that we have a good reason. While there are ways to
present groups of arbitrary hunks of data, why would we want to?

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Re: Preferred subj= with multiple LSMs