[arch-general] user namespaces

Daniel Micay danielmicay at gmail.com
Thu Feb 2 16:49:38 UTC 2017


On Thu, 2017-02-02 at 17:39 +0100, Ralf Mardorf wrote:
> On Thu, 02 Feb 2017 11:22:28 -0500, Daniel Micay via arch-general
> wrote:
> > The reason for SELinux and AppArmor not being enabled for linux or
> > linux-grsec has to do with audit. If people were willing to do a bit
> > of work, all of the MAC implementations rather than only grsecurity
> > RBAC and TOMOYO could be available.
> 
> IIUC Mark Shuttleworth offered manpower to enable a standard mac-based
> security framework:
> https://lists.ubuntu.com/archives/snapcraft/2017-January/002247.html

There's a need to improve audit or remove the dependency on it. If there
was a kernel configuration option upstream to fully disable audit by
default and avoid logging / performance / security issues from it then
the kernel maintainers would likely be willing to enable it and the LSMs
depending on it again. They were disabled due to the drawbacks of audit,
 combined with the lack of effort to actually use those LSMs on Arch. It
is not simply a matter of people not stepping up to integrate the MACs
but also the kernel requiring changes that our kernel maintainers are
not willing to carry out-of-tree.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 866 bytes
Desc: This is a digitally signed message part
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20170202/f6711ff5/attachment.asc>


More information about the arch-general mailing list