On Wed, Oct 26, 2011 at 2:49 PM, Tetsuo Handa from-centos@i-love.sakura.ne.jp wrote:
Akemi Yagi wrote:
I'm providing 2 alternatives. One is TOMOYO 1.x (out of tree patches that require recompilation of kernel source package but can keep kernel ABI) and the other is AKARI (subset of TOMOYO 1.x but is a loadable kernel module). http://akari.sourceforge.jp/comparison.html
I checked the config options required for AKARI. Of the 5 options listed, one is not set in the current EL6 kernel:
# CONFIG_SECURITY_PATH is not set
You mentioned CONFIG_SECURITY_PATH is the one that breaks the kABI.
CONFIG_SECURITY_PATH is the one that is mandatory for TOMOYO 2.x but breaks the kABI. But CONFIG_SECURITY_PATH is optional for AKARI. AKARI was designed to be usable on RHEL kernels without changing kernel config or patching to source.
I see. Then the AKARI kernel module will be a good (perfect?) candidate for ELRepo.
But TOMOYO 1.x would not?
TOMOYO 1.x does not need CONFIG_SECURITY_PATH because TOMOYO 1.x adds a new set of hooks similar to CONFIG_SECURITY_PATH. Thus, the kABI is preserved but TOMOYO 1.x needs patching to source.
In this case, the cplus kernel can accommodate TOMOYO 1.x. Can you think of any reason it cannot? Anything else to consider?
On a not so important subject, is TOMOYO written as 友代, and AKARI as 明 ? 灯り ?
Akemi