From: Greg KH <greg@kroah.com>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: James Morris <jmorris@namei.org>,
Eric Paris <eparis@parisplace.org>,
Daniel J Walsh <dwalsh@redhat.com>,
Lennart Poettering <mzerqung@0pointer.de>,
linux-security-module@vger.kernel.org,
systemd-devel@lists.freedesktop.org, selinux@tycho.nsa.gov
Subject: Re: [PATCH] SELINUX: add /sys/fs/selinux mount point to put selinuxfs
Date: Mon, 2 May 2011 15:02:42 -0700 [thread overview]
Message-ID: <20110502220242.GA30712@kroah.com> (raw)
In-Reply-To: <1304342680.16563.35.camel@moss-pluto>
On Mon, May 02, 2011 at 09:24:40AM -0400, Stephen Smalley wrote:
> On Fri, 2011-04-29 at 18:19 -0700, Greg KH wrote:
> > From: Greg Kroah-Hartman <gregkh@suse.de>
> >
> > In the interest of keeping userspace from having to create new root
> > filesystems all the time, let's follow the lead of the other in-kernel
> > filesystems and provide a proper mount point for it in sysfs.
> >
> > For selinuxfs, this mount point should be in /sys/fs/selinux/
> >
> > Cc: Stephen Smalley <sds@tycho.nsa.gov>
> > Cc: James Morris <jmorris@namei.org>
> > Cc: Eric Paris <eparis@parisplace.org>
> > Cc: Lennart Poettering <mzerqung@0pointer.de>
> > Cc: Daniel J Walsh <dwalsh@redhat.com>
> > Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
> >
> > ---
> >
> > Note, patch is untested, I don't have any selinux-based machines here,
> > sorry.
>
> If I understand correctly, the patch won't change any userspace-visible
> behavior until one has a new libselinux that actually mounts selinuxfs
> on /sys/fs/selinux instead of /selinux, right?
Correct.
> At that point, we have to ensure that all userspace that directly
> references /selinux rather than using libselinux is changed to use
> libselinux. You might argue that all such userspace is broken already,
> but given that selinuxfs has been mounted on /selinux ever since SELinux
> went into mainline in 2003 and , it is difficult to blame them. Using
> codesearch.google.com on
> e.g. /selinux/enforce, /selinux/load, /selinux/booleans, /selinux/mls,
> etc turns up a number of examples, including glibc (a test case),
> puppet, dracut, anaconda, etc.
>
> Policy implication: Any program that needs to access selinuxfs will
> need to be able to search sysfs too.
>
> Added dependency: Any system that uses SELinux will need to enable and
> mount sysfs (or alternatively create at least a fake /sys/fs directory).
> I assume that sysfs is fairly universal at this point though, like proc?
Yes it is.
Care to forward this on to James for the next kernel merge window?
thanks,
greg k-h
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2011-05-02 22:02 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20110430011950.GA11566@kroah.com>
2011-05-02 13:24 ` [PATCH] SELINUX: add /sys/fs/selinux mount point to put selinuxfs Stephen Smalley
2011-05-02 22:02 ` Greg KH [this message]
2011-05-02 22:54 ` Eric Paris
2011-05-02 23:19 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110502220242.GA30712@kroah.com \
--to=greg@kroah.com \
--cc=dwalsh@redhat.com \
--cc=eparis@parisplace.org \
--cc=jmorris@namei.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mzerqung@0pointer.de \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
--cc=systemd-devel@lists.freedesktop.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.