Originally posted by uxmkt
View Post
In any case, SELinux is a thing that sits on the LSM and provides policy files to configure system-wide mandatory security features (basically blanket and per-process sandboxes that you can't sudo or chmod to get around). It works by default out of the box on many distros. Adding these new "lockdown settings" as an additional policy that could just be enabled by default seems like a nice idea. Other LSM security systems (GRSecurity, etc) presumably can now also switch this on by default if they think want, without having to recompile the kernel...
Leave a comment: