selinuxfs

selinuxfs

[Mario Fanelli]

Under the directory /selinux, I found this file but I don't understand their
meaning..

access
checkreqprot
context 
create
disable
enforce 
load
member
mls
null 
policyvers
relabel
user

Anyone can give me an help?


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: selinuxfs

[Stephen Smalley]

On Sun, 2006-06-11 at 10:42 +0200, Mario Fanelli wrote:
> Under the directory /selinux, I found this file but I don't understand their
> meaning..
> 
> access
> checkreqprot
> context 
> create
> disable
> enforce 
> load
> member
> mls
> null 
> policyvers
> relabel
> user
> 
> Anyone can give me an help?

I suppose a selinuxfs man page might be nice.  selinux-doc/README has a
brief description at the end of the original set of selinuxfs nodes, but
hasn't been kept up to date.  Note that you really aren't supposed to
directly operate on the selinuxfs nodes - you should access them
indirectly via the libselinux interfaces (using helper utilities as
appropriate) for portability.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: selinuxfs

[Wightman, Reid K Civ AFRL/IFEB]

> I suppose a selinuxfs man page might be nice.  
> selinux-doc/README has a brief description at the end of the 
> original set of selinuxfs nodes, but hasn't been kept up to 
> date.  Note that you really aren't supposed to directly 
> operate on the selinuxfs nodes - you should access them 
> indirectly via the libselinux interfaces (using helper utilities as
> appropriate) for portability.

I'm tinkering with some of the libselinux functions right now and getting a
strange error from security_compute_user().  I see that it copies data out
of <selinuxfs>/user .  On my system, this file is 0 bytes (everything is
stock FC5, selinux status is enabled/targeted/permissive, and I just
reloaded the policy).  Is this right?  How do the files here get populated?

Thanks,
Reid

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: selinuxfs

[Joshua Brindle]

Wightman, Reid K Civ AFRL/IFEB wrote:
>   
>> I suppose a selinuxfs man page might be nice.  
>> selinux-doc/README has a brief description at the end of the 
>> original set of selinuxfs nodes, but hasn't been kept up to 
>> date.  Note that you really aren't supposed to directly 
>> operate on the selinuxfs nodes - you should access them 
>> indirectly via the libselinux interfaces (using helper utilities as
>> appropriate) for portability.
>>     
>
> I'm tinkering with some of the libselinux functions right now and getting a
> strange error from security_compute_user().  I see that it copies data out
> of <selinuxfs>/user .  On my system, this file is 0 bytes (everything is
> stock FC5, selinux status is enabled/targeted/permissive, and I just
> reloaded the policy).  Is this right?  How do the files here get populated?
>
>   
see security/selinux/selinuxfs.c

its a pseudo filesystem like /proc which has callbacks in the kernel 
when the file is read or written to.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: selinuxfs

[Stephen Smalley]

On Tue, 2006-06-13 at 16:02 -0400, Wightman, Reid K Civ AFRL/IFEB wrote:
> 
> > I suppose a selinuxfs man page might be nice.  
> > selinux-doc/README has a brief description at the end of the 
> > original set of selinuxfs nodes, but hasn't been kept up to 
> > date.  Note that you really aren't supposed to directly 
> > operate on the selinuxfs nodes - you should access them 
> > indirectly via the libselinux interfaces (using helper utilities as
> > appropriate) for portability.
> 
> I'm tinkering with some of the libselinux functions right now and getting a
> strange error from security_compute_user().  I see that it copies data out
> of <selinuxfs>/user .  On my system, this file is 0 bytes (everything is
> stock FC5, selinux status is enabled/targeted/permissive, and I just
> reloaded the policy).  Is this right?  How do the files here get populated?

They are populated by the kernel, just like /proc.  The {access,
context, create, member, relabel, user} nodes are transactional - the
program writes a query to them, and then reads back the response from
the kernel.  The user node is used by get_ordered_context_list and
friends to compute the set of contexts reachable for a given user from a
given security context, which in turn is used by login-like programs for
determining the session security context.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.