Akemi Yagi wrote:
I'm providing 2 alternatives. One is TOMOYO 1.x (out of tree patches that require recompilation of kernel source package but can keep kernel ABI) and the other is AKARI (subset of TOMOYO 1.x but is a loadable kernel module). http://akari.sourceforge.jp/comparison.html
I checked the config options required for AKARI. Of the 5 options listed, one is not set in the current EL6 kernel:
# CONFIG_SECURITY_PATH is not set
You mentioned CONFIG_SECURITY_PATH is the one that breaks the kABI.
CONFIG_SECURITY_PATH is the one that is mandatory for TOMOYO 2.x but breaks the kABI. But CONFIG_SECURITY_PATH is optional for AKARI. AKARI was designed to be usable on RHEL kernels without changing kernel config or patching to source.
But TOMOYO 1.x would not?
TOMOYO 1.x does not need CONFIG_SECURITY_PATH because TOMOYO 1.x adds a new set of hooks similar to CONFIG_SECURITY_PATH. Thus, the kABI is preserved but TOMOYO 1.x needs patching to source.