[arch-general] [arch-dev-public] Trimming down our default kernel configuration

Mauro Santos registo.mailling at gmail.com
Wed Mar 26 16:03:04 EDT 2014


On 26-03-2014 19:18, Leonid Isaev wrote:
>> 1) Once we agreed to disable one LSM, everyone else said "we can enable
>> LSM XYZ, too". And so we did. Right now, we enable SELinux, SMACK,
>> Tomoyo, AppArmor and Yama, although we don't support the userspace for
>> any of those.
>>
>> I propose to drop all of them.
> 
> I agree regarding SELinux/Apparmor (it's not only userspace tools, but also
> sane application policies that are missing).
> 
> However, I don't think that Yama requires any userspace components, does it?
> Currently, I boot with "security=yama" and completely disabled non-admin
> ptrace (kernel.yama.ptrace_scope=2). Perhaps -ARCH kernels should keep Yama
> available albeit disabled by default (as they now do).
> 

If the reason for dropping support is the lack of maintained userspace
tools then tomoyo does have tomoyo-tools in [community]. However it
requires the user to manage rules creation and maintenance.

-- 
Mauro Santos

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.archlinux.org/pipermail/arch-general/attachments/20140326/80fd672b/attachment.asc>


More information about the arch-general mailing list