Re: LSM conversion to static interface

From: Greg KH
Date: Mon Oct 22 2007 - 13:13:43 EST


On Mon, Oct 22, 2007 at 10:00:46AM -0700, Thomas Fricaccia wrote:
> To possibly save bandwidth, I'll also respond to another of Greg's points:
>
> "Greg KH" <greg@xxxxxxxxx> wrote:
> > Any "customer" using a security model other than provided by their Linux
> > distributor instantly voided all support from that distro by doing that.
>
> This isn't necessarily true. In fact, I don't think it's even _remotely_
> likely to be typical.

But that is completly true _today_ and is the way that the "enterprise"
distros work. Do you have any evidence of it not being the case?

> Security is big business, as is compliance with regulatory law. Large
> enterprise customers are NOT going to either void their system support
> contracts, or place themselves in jeopardy of failing a SOX audit.

I agree, that is why customers do not load other random security modules
in their kernel today, and why they will not do so tomorrow. So,
because of that, this whole point about compliance with regulatory law
seems kind of moot :)

Again, LSM isn't going away at all, this is just one config option for
allowing LSM to work as a module that is changing. If a customer
demands that this feature come back, I'm sure that the big distros will
be the first to push for it. But currently, given that there are no
known external LSMs being used by customers demanding support, I don't
see what the big issue here really is.

thanks,

greg k-h
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/