On Mon, 18 Aug 2025 at 21:24:07 -0500, Jacob Bachmeyer wrote:
Does this need to be an entirely new module or could it be an extension to
SELinux?
If it isn't a core kernel enhancement like
/proc/sys/fs/protected_symlinks, then it would be better to have this as
a new LSM, or perhaps extend an existing "small" LSM like Yama.
Only one "big" LSM (with labelling) can be active at a time, so loading
AppArmor excludes SELinux and vice versa, meaning that each distro has
to choose whether they will have SELinux, AppArmor, Smack or none of
those by default. Lifting that restriction has been in progress for a
while, but it's difficult to achieve and the relevant APIs assume there
is only one "big" LSM. But any number of "small" LSMs like Yama and
Landlock can coexist with up to one "big" LSM.
Even if the SELinux team saw it as in-scope (which I suspect they might
not), adding this functionality to SELinux would not protect AppArmor
users and vice versa, whereas having it in a "small" LSM would benefit
everyone.
smcv
