Re: [Dazuko-devel] Dazuko's 6th birthday (Wiki)

[Adam Jerome]

Feb 11, 2008 at 12:14 PM, "Alon Bar-Lev" <address@hidden> wrote: 
> On 2/11/08, Adam Jerome <address@hidden> wrote:
>> As for Novell/SuSE, I suspect that the work done by upstream to make
>> LSM static-link only will most likely be reverted for SLED/SLES 11.
>> Meaning that LSM may continue to be a viable alternative for some time.

That is a great question.  I am not sure I have the correct answer.

I do know that as the patch was being considered, Linus called for anyone
to refute the patch; and more specifically, he asked all projects that were
using LSM (that might be considering submission of their project 
upstream at some point) to make them self known.  From what I saw, no
such projects made themselves known.

>From a (rather hard-core) upstream perception, the only one using LSM 
was SELinux (being that they were the only ones who had submitted 
upstream).  So, (as the logic went), if SELinux is the only valid LSM 
client and SELinux is a compiled-in kernel enhancement, why leave a
dynamic link LSM interface open which might be a security threat itself?

So, in the name of "nobody else will fess up to using LSM" and "A 
dynamic LSM interface is a security threat", Linus accepted the patch
which closed LSM to dynamically loaded modules.

I feel that this action was hasty; that making LSM a static-link-only
interface is very short-sited.  It shut the door to many up-and-comming
security related projects (that were just not ready for submission upstream).
This action obviously gives an unfair advantage to the SELinux camp.  

-adam