[EMAIL PROTECTED] ("Andrey Borzenkov") writes:
> I am not as sure. You can't unconditionally add them to
> /etc/sysctl.conf becasue they do not exist in normal kernel if you
> ever boot it. So you have to check on bootup if it is secur
> kernel. O.K. it is possible to check for /proc/sys/kernel/grsecurity
> ... (IIRC there was a bug that this has been created even when
> sysctl support has been disabled, may be it is fixed now)
> IMHO removing ifdef SYSCTL is much more simple.
> I do not say that msec should not handle it as well :) I just say
> that if I configure feature as enabled in kernel I expect it to
> _really_ be enabled.
I understand that but msec should allow you to choose which options to
enable in secure kernel. If we do enable everything by default on the
secure kernel it will be very resterictive (not talking which
port/syscall to watch/log that cannot be done by a global
configuration from us).
Cheers, Chmouel.
