Re: [PATCH] remove sys_security

From: Stephen Smalley (
Date: Tue Oct 22 2002 - 07:22:26 EST

On Mon, 21 Oct 2002, Crispin Cowan wrote:

> Therefore, the sys_security syscall has been removed. LSM-aware
> applications that want to talk to security modules can do so through a
> file system interface. This will work for WireX, and Smalley says it
> will work for SELinux. I hope it will work for others.

Actually, with regard to using a pseudo filesystem interface, I said that
we could investigate it, but I have doubts about cleanly supporting the
extended forms of existing calls (e.g. execve_secure, mkdir_secure,
msgrcv_secure, recvmsg_secure, etc) using such an interface. I
raised the same issue when sys_security was originally discussed on
the lsm list long ago. SELinux extends the POSIX API to incorporate
security (specifically flexible mandatory access control) as a first class

However, I understand Christoph's objection to sys_security and am not
trying to revive that debate. We can hopefully have a dialogue about the
SELinux API with the kernel developers at a later time and come to some
consensus on a set of specific system calls that can be added to the
kernel to support equivalent functionality to the SELinux API.

Stephen D. Smalley, NAI Labs

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to More majordomo info at Please read the FAQ at

This archive was generated by hypermail 2b29 : Wed Oct 23 2002 - 22:00:58 EST