this post was submitted on 15 Dec 2025
98 points (100.0% liked)

Linux

10644 readers
423 users here now

A community for everything relating to the GNU/Linux operating system (except the memes!)

Also, check out:

Original icon base courtesy of lewing@isc.tamu.edu and The GIMP

founded 2 years ago
MODERATORS
Ategon@programming.dev
anzo@programming.dev
dwraf_of_ignorance@programming.dev
98
Torvalds On Linux Security Modules: "I Already Think We Have Too Many Of Those Pointless Things" (www.phoronix.com)
submitted 2 days ago by cm0002@literature.cafe to c/linux@programming.dev
9 comments fedilink hide all child comments
 

Stemming from a security researcher and his team proposing a new Linux Security Module (LSM) three years ago and it not being accepted to the mainline kernel, he raised issue over the lack of review/action to Linus Torvalds and the mailing lists. In particular, seeking more guidance for how new LSMs should be introduced and raised the possibility of taking the issue to the Linux Foundation Technical Advisory Board (TAB).

This mailing list post today laid out that a proposed TSEM LSM for a framework for generic security modeling was proposed but saw little review activity in the past three years or specific guidance on getting that LSM accepted to the Linux kernel. Thus seeking documented guidance on new Linux Security Module submissions for how they should be optimally introduced otherwise the developers are "prepared to pursue this through the [Technical Advisory Board] if necessary."

you are viewing a single comment's thread
view the rest of the comments
[–] fruitycoder@sh.itjust.works 1 points 17 hours ago* (last edited 17 hours ago)

To be fair. SELINUX always seems like THE answer with flexibility it provides with App armor being just SELINUX light...

It would make more sense to me to have better support for leveraging SELINUX primatives to accomplish the same things. I at least, don't know of any LSM features that can't be covered user:role:type:security level:catagorey and namespaces?

The issue is always that info is hard to know sometimes and programers can barely stop ourselves from running as root with all files in 777 mode let alone conceptualize those other attributes for files and services