Akemi Yagi wrote: > > I'm providing 2 alternatives. One is TOMOYO 1.x (out of tree patches that > > require recompilation of kernel source package but can keep kernel ABI) and the > > other is AKARI (subset of TOMOYO 1.x but is a loadable kernel module). > > http://akari.sourceforge.jp/comparison.html > > I checked the config options required for AKARI. Of the 5 options > listed, one is not set in the current EL6 kernel: > > # CONFIG_SECURITY_PATH is not set > > You mentioned CONFIG_SECURITY_PATH is the one that breaks the kABI. CONFIG_SECURITY_PATH is the one that is mandatory for TOMOYO 2.x but breaks the kABI. But CONFIG_SECURITY_PATH is optional for AKARI. AKARI was designed to be usable on RHEL kernels without changing kernel config or patching to source. > But TOMOYO 1.x would not? TOMOYO 1.x does not need CONFIG_SECURITY_PATH because TOMOYO 1.x adds a new set of hooks similar to CONFIG_SECURITY_PATH. Thus, the kABI is preserved but TOMOYO 1.x needs patching to source.