On Wed, Apr 6, 2016 at 2:23 PM, David Miller <[email protected]> wrote: > From: Paul Moore <[email protected]> > Date: Wed, 6 Apr 2016 10:07:27 -0400 > >> "While marking the LSM hook structure doesn't directly affect the >> SELinux netfilter hooks, once we remove the ability to deregister the >> LSM hooks we will have no need to support deregistering netfilter >> hooks and I expect we will drop that functionality as well to help >> decrease the risk of tampering." > > This is not a reasonable postiion. > > The performance implications are non-trivial for using netfilter hooks > when they aren't actually needed.
With all due respect, I think you've taken what I consider to be some unreasonable positions when it comes to the network stack and LSMs in the past. We have different perspectives and different priorities as a result, from my perspective the security advantage gained by eliminating the ability to disable SELinux at runtime is more important. -- paul moore www.paul-moore.com
