[arch-general] [arch-dev-public] Trimming down our default kernel configuration

Thomas Bächler thomas at archlinux.org
Thu Mar 27 18:49:45 EDT 2014


Am 27.03.2014 20:33, schrieb Nicolas Iooss:
> TL;DR: this is a technical answer which can be seen as slightly
> off-topic as it focus only on SELinux and not much about kernel config
> trimming.

Very interesting, thanks for looking into it deeper. I'll leave most of
this uncommented.

> This does sound weird. Could you please give me some references to
> this so that I can understand better? I only know that SELinux uses
> the audit subsystem to report denials and that the audit subsystem can
> be disabled at boot time using "audit=0" kernel command line parameter
> (and also I've read
> http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/kernel/audit.c?id=v3.13#n1001).

Okay, you are right, it wasn't AppArmor, it was SELinux. According to
Kconfig, SELinux depends on Audit.

And here is my problem: Audit is enabled by default and must be
explicitly disabled by the admin. This is a showstopper for me! There is
no kernel option to configure audit to be disabled by default (as far as
I am aware) so that it can be enabled with 'audit=1' on the command line.

As long as SELinux needs audit and audit is enabled by default, SELinux
will not make it to the 3.14+ versions of our linux package.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.archlinux.org/pipermail/arch-general/attachments/20140327/1f785874/attachment.asc>


More information about the arch-general mailing list