On Wed, Oct 26, 2011 at 2:49 PM, Tetsuo Handa <from-centos at i-love.sakura.ne.jp> wrote: > Akemi Yagi wrote: >> > I'm providing 2 alternatives. One is TOMOYO 1.x (out of tree patches that >> > require recompilation of kernel source package but can keep kernel ABI) and the >> > other is AKARI (subset of TOMOYO 1.x but is a loadable kernel module). >> > http://akari.sourceforge.jp/comparison.html >> >> I checked the config options required for AKARI. Of the 5 options >> listed, one is not set in the current EL6 kernel: >> >> # CONFIG_SECURITY_PATH is not set >> >> You mentioned CONFIG_SECURITY_PATH is the one that breaks the kABI. > > CONFIG_SECURITY_PATH is the one that is mandatory for TOMOYO 2.x but breaks the > kABI. But CONFIG_SECURITY_PATH is optional for AKARI. AKARI was designed to be > usable on RHEL kernels without changing kernel config or patching to source. I see. Then the AKARI kernel module will be a good (perfect?) candidate for ELRepo. >> But TOMOYO 1.x would not? > > TOMOYO 1.x does not need CONFIG_SECURITY_PATH because TOMOYO 1.x adds a new set > of hooks similar to CONFIG_SECURITY_PATH. Thus, the kABI is preserved but > TOMOYO 1.x needs patching to source. In this case, the cplus kernel can accommodate TOMOYO 1.x. Can you think of any reason it cannot? Anything else to consider? On a not so important subject, is TOMOYO written as 友代, and AKARI as 明 ? 灯り ? Akemi