On 26-03-2014 19:18, Leonid Isaev wrote:
1) Once we agreed to disable one LSM, everyone else said "we can enable LSM XYZ, too". And so we did. Right now, we enable SELinux, SMACK, Tomoyo, AppArmor and Yama, although we don't support the userspace for any of those.
I propose to drop all of them.
I agree regarding SELinux/Apparmor (it's not only userspace tools, but also sane application policies that are missing).
However, I don't think that Yama requires any userspace components, does it? Currently, I boot with "security=yama" and completely disabled non-admin ptrace (kernel.yama.ptrace_scope=2). Perhaps -ARCH kernels should keep Yama available albeit disabled by default (as they now do).
If the reason for dropping support is the lack of maintained userspace tools then tomoyo does have tomoyo-tools in [community]. However it requires the user to manage rules creation and maintenance. -- Mauro Santos