[Devel] [PATCH RHEL7 COMMIT] security: enable CONFIG_SECURITY along with CONFIG_VE
Konstantin Khorenko
khorenko at virtuozzo.com
Wed Dec 27 13:47:22 MSK 2017
The commit is pushed to "branch-rh7-3.10.0-693.11.1.vz7.39.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-693.11.1.vz7.39.9
------>
commit 167b9da2d5eb5b44b111464c880643fd102ad2e3
Author: Konstantin Khorenko <khorenko at virtuozzo.com>
Date: Wed Dec 27 13:41:48 2017 +0300
security: enable CONFIG_SECURITY along with CONFIG_VE
Various security hardening solutions work via LSM hooks
so they need CONFIG_SECURITY which was disabled long ago
because we had capabilities intersection with stock ones.
Now we use user namespaces => no capabilities intersection =>
no reason to disable CONFIG_SECURITY.
Note: it does not mean SELinux will work inside a Container,
but at least Host can be managed by that security solutions.
https://jira.sw.ru/browse/PSBM-69451
Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
---
security/Kconfig | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/security/Kconfig b/security/Kconfig
index 4ba50f4bd742..3605d24112d7 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -20,7 +20,7 @@ config SECURITY_DMESG_RESTRICT
config SECURITY
bool "Enable different security models"
- depends on SYSFS && !VE
+ depends on SYSFS
help
This allows you to choose different security modules to be
configured into your kernel.
More information about the Devel
mailing list