From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.sws.net.au (smtp.sws.net.au [144.76.186.9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 18CEB611E for ; Sat, 7 Dec 2024 03:31:06 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=144.76.186.9 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1733542269; cv=none; b=Bpci56kN+uGAHuVojXK58b5ydB1Tgt5WwllfbSdSjQYckz+cXu4kI5EiEtqgN9mXWkCLl60Gr8Qyk5FE7sku4+4yWcKNdKuLHAsB14EWVddtmLp66WetcwoXWpehvUvfbkxD77OuIPVhziv0cA/tS9irCEXrhf4gopw8ViIJHkw= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1733542269; c=relaxed/simple; bh=30IG55RHpBVNnFTfjaGBwzRLLbC3QLN23WLPbZiwVm0=; h=From:To:Subject:Date:Message-ID:MIME-Version:Content-Type; b=c6igi71L0UpXkWEUwFJufclVgekh0RR/2WaLkKgTwR/9NOql8pSMLhHYRRRbS8SuW7yQhfX6sMyhmOGGgwQmd+K42dS1eOLqHrh4HR9Fd8oyIP9pZrcB2+AymAGLi6LiJEwbSD1dHYLwnp7vG2qAvEQNcd3E6Imc09T8pGsg1Hk= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=coker.com.au; spf=pass smtp.mailfrom=coker.com.au; dkim=pass (1024-bit key) header.d=coker.com.au header.i=@coker.com.au header.b=Zx6DRxlF; arc=none smtp.client-ip=144.76.186.9 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=coker.com.au Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=coker.com.au Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=coker.com.au header.i=@coker.com.au header.b="Zx6DRxlF" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au; s=2008; t=1733541768; bh=KC/iqiunLMvsmaa00qysmuYFZ5Fl7ClPRmGZbHZJ74c=; l=760; h=From:To:Subject:Date:From; b=Zx6DRxlFspM6WXkDQn/tcEQWB5fjAz5gmxkVpqBK5UFhvL5JdFXQaT+cBvauClpjr B0xCBirLBSzbBoes7gDdSe6IPkleKicWs0V8fgBToKEidZiBKD66IZ61bi/1/RDLD9 ud+iS5e7+sz2t1WfcB/5QmQGVO+mZ5l1X06Vi8iA= Received: from liv.coker.com.au (unknown [IPv6:2001:4479:4503:fd00:ff17:5363:bb3:13c2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (prime256v1) server-digest SHA256) (No client certificate requested) (Authenticated sender: russell@coker.com.au) by smtp.sws.net.au (Postfix) with ESMTPSA id C1258FE0E for ; Sat, 7 Dec 2024 14:22:47 +1100 (AEDT) From: Russell Coker To: SELinux Reference Policy mailing list Subject: pidfs Date: Sat, 07 Dec 2024 14:22:41 +1100 Message-ID: <1985778.PYKUYFuaPT@cupcakke> Precedence: bulk X-Mailing-List: selinux-refpolicy@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" What's this new pidfs that seems to have just become visible in 6.11.10 or similar recent kernels? https://lwn.net/Articles/714932/ The above article has some information about a previous iteration of it, apparently not a separate mountable filesystem but a part of /proc that can be mounted as part of a container. I'm seeing the following audit entries about it, what should we do in policy about this? type=AVC msg=audit(1733540968.538:31305): avc: denied { getattr } for pid=1465 comm="systemd" name="/" dev="pidfs" ino=1 scontext=etbe:user_r:user_systemd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=0 -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/