[RHEL7,COMMIT] security: enable CONFIG_SECURITY along with CONFIG_VE

Submitted by Konstantin Khorenko on Dec. 27, 2017, 10:47 a.m.

Details

Message ID 201712271047.vBRAlMCg012130@finist_ce7.work
State New
Series "security: enable CONFIG_SECURITY along with CONFIG_VE"
Headers show

Commit Message

Konstantin Khorenko Dec. 27, 2017, 10:47 a.m.
The commit is pushed to "branch-rh7-3.10.0-693.11.1.vz7.39.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-693.11.1.vz7.39.9
------>
commit 167b9da2d5eb5b44b111464c880643fd102ad2e3
Author: Konstantin Khorenko <khorenko@virtuozzo.com>
Date:   Wed Dec 27 13:41:48 2017 +0300

    security: enable CONFIG_SECURITY along with CONFIG_VE
    
    Various security hardening solutions work via LSM hooks
    so they need CONFIG_SECURITY which was disabled long ago
    because we had capabilities intersection with stock ones.
    
    Now we use user namespaces => no capabilities intersection =>
    no reason to disable CONFIG_SECURITY.
    
    Note: it does not mean SELinux will work inside a Container,
    but at least Host can be managed by that security solutions.
    
    https://jira.sw.ru/browse/PSBM-69451
    
    Signed-off-by: Konstantin Khorenko <khorenko@virtuozzo.com>
---
 security/Kconfig | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Patch hide | download patch | download mbox

diff --git a/security/Kconfig b/security/Kconfig
index 4ba50f4bd742..3605d24112d7 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -20,7 +20,7 @@  config SECURITY_DMESG_RESTRICT
 
 config SECURITY
 	bool "Enable different security models"
-	depends on SYSFS && !VE
+	depends on SYSFS
 	help
 	  This allows you to choose different security modules to be
 	  configured into your kernel.