This is a summary between me and Tetsuo Handa, which I inadvertantly did not post onto the mailing list. Unquoted text is Tetsuo's response to my question. > I have one further question. If I were to install AKARI and create a > set of policies, would these policies then work without change when > running a kernel compiled with TOMOYO Linux 1.8.x on the same system? If your kernel is 2.6.33 or higher and is built with CONFIG_SECURITY_PATH=y , I think it will be possible to reuse policies regarding file access control part. To do so, you will need to define profile as $profilenumber-CONFIG::network={ mode=disabled } $profilenumber-CONFIG::ipc={ mode=disabled } $profilenumber-CONFIG::capability={ mode=disabled } in addition to $profilenumber-CONFIG={ mode=... } . If your kernel is built with CONFIG_SECURITY_NETWORK=y , I think it will be possible to reuse policies regarding network access control part. To do so, you will need to define profile as $profilenumber-CONFIG::network::inet_dgram_recv={ mode=disabled } $profilenumber-CONFIG::network::inet_raw_recv={ mode=disabled } $profilenumber-CONFIG::network::unix_dgram_recv={ mode=disabled } in addition to $profilenumber-CONFIG::network={ mode=... } . If you used "auto_domain_transition=" keyword with accept() permission, the policies may not be reusable because the timing AKARI checks accept() permission and TOMOYO checks accept() permission are different. > If this is possible, then I also assume that a set of policies created > when running TOMOYO Linux 1.8 will also work when running AKARI, as > long as rule enforcements that are not supported by AKARI are not > used. I think it works only if your kernel is 2.6.33 or higher and is built with CONFIG_SECURITY_PATH=y. If CONFIG_SECURITY_PATH=y, both AKARI and TOMOYO check directory modification permissions like file create /path/to/file/from/namespace's/root and therefore policy will be reusable. If CONFIG_SECURITY_PATH=n, AKARI checks directory modification permissions like file create dev($major,$minor):/path/to/file whereas TOMOYO checks directory modification permissions like file create /path/to/file/from/namespace's/root and therefore policy will not be reusable. But these explanations are from what I expect (rather than what I confirmed). Please test in both environments if you want to make reusable policies. Regards.