Functions prefixed with security_ in SELinux

Functions prefixed with security_ in SELinux

[Casey Schaufler]

As I've been working on the multiple concurrent modules project I have
frequently encountered the use of the function prefix security_ in
SELinux specific code. I understand and appreciate that this code has
been there since the dawn of time. The LSM infrastructure also uses this
prefix, and that's where I have my concern. When I'm grubbing about for
uses of the LSM infrastructure in the SELinux code it's really quite
annoying. Would the SELinux community be open to considering the
possibility of thinking about cleaning up this bit of namespace
pollution? It surely isn't a critical issue, but it would certainly look
better.

security_context_to_sid -> selinux_context_to_sid

Just a thought.

Re: Functions prefixed with security_ in SELinux

[Paul Moore]

On Thu, Oct 9, 2014 at 1:55 PM, Casey Schaufler <casey@schaufler-ca.com> wrote:
>
> As I've been working on the multiple concurrent modules project I have
> frequently encountered the use of the function prefix security_ in
> SELinux specific code. I understand and appreciate that this code has
> been there since the dawn of time. The LSM infrastructure also uses this
> prefix, and that's where I have my concern. When I'm grubbing about for
> uses of the LSM infrastructure in the SELinux code it's really quite
> annoying. Would the SELinux community be open to considering the
> possibility of thinking about cleaning up this bit of namespace
> pollution? It surely isn't a critical issue, but it would certainly look
> better.
>
> security_context_to_sid -> selinux_context_to_sid
>
> Just a thought.

Sorry for the delay.  I've been a bit busy and this got lost in my
SELinux folder.

It probably is something we should clean up, in fact we should
probably take a long hard look at why we still keep the "security
server" code separated from the SELinux hooks code.  I understand the
original reasoning, but I wonder if that still matters, especially
with many Linux-isms creeping into the security server code.

So to answer your question, yes, it is something I would consider, but
likely only as part of a larger effort to cleanup/integrate the
SELinux security server code into the Linux specific code.

-- 
paul moore
www.paul-moore.com

Re: Functions prefixed with security_ in SELinux

[Casey Schaufler]

On 10/24/2014 12:49 PM, Paul Moore wrote:
> On Thu, Oct 9, 2014 at 1:55 PM, Casey Schaufler <casey@schaufler-ca.com> wrote:
>> As I've been working on the multiple concurrent modules project I have
>> frequently encountered the use of the function prefix security_ in
>> SELinux specific code. I understand and appreciate that this code has
>> been there since the dawn of time. The LSM infrastructure also uses this
>> prefix, and that's where I have my concern. When I'm grubbing about for
>> uses of the LSM infrastructure in the SELinux code it's really quite
>> annoying. Would the SELinux community be open to considering the
>> possibility of thinking about cleaning up this bit of namespace
>> pollution? It surely isn't a critical issue, but it would certainly look
>> better.
>>
>> security_context_to_sid -> selinux_context_to_sid
>>
>> Just a thought.
> Sorry for the delay.  I've been a bit busy and this got lost in my
> SELinux folder.
>
> It probably is something we should clean up, in fact we should
> probably take a long hard look at why we still keep the "security
> server" code separated from the SELinux hooks code.  I understand the
> original reasoning, but I wonder if that still matters, especially
> with many Linux-isms creeping into the security server code.
>
> So to answer your question, yes, it is something I would consider, but
> likely only as part of a larger effort to cleanup/integrate the
> SELinux security server code into the Linux specific code.
>

Would you consider patches that address this as part of the Multiple
LSM work? I wouldn't be doing the security server integration as that
would be outside the scope of the effort, but I consider the namespace
issue to be in scope. I won't bother if you aren't open to it.

Thank you.

Re: Functions prefixed with security_ in SELinux

[Paul Moore]

On Fri, Oct 24, 2014 at 5:33 PM, Casey Schaufler <casey@schaufler-ca.com> wrote:
> Would you consider patches that address this as part of the Multiple
> LSM work? I wouldn't be doing the security server integration as that
> would be outside the scope of the effort, but I consider the namespace
> issue to be in scope. I won't bother if you aren't open to it.

No, sadly I think a rename patch would need to be part of a larger
cleanup/integration effort; otherwise it just looks like a lot of
churn for minimal benefit.  I understand that is probably looks
significant within the work you are doing to stack LSMs, but
considering how rare/unique that work is, I don't think this is
problem many people are likely to run into on a regular basis.


-- 
paul moore
www.paul-moore.com

Re: Functions prefixed with security_ in SELinux

[Casey Schaufler]

On 10/25/2014 9:45 AM, Paul Moore wrote:
> On Fri, Oct 24, 2014 at 5:33 PM, Casey Schaufler <casey@schaufler-ca.com> wrote:
>> Would you consider patches that address this as part of the Multiple
>> LSM work? I wouldn't be doing the security server integration as that
>> would be outside the scope of the effort, but I consider the namespace
>> issue to be in scope. I won't bother if you aren't open to it.
> No, sadly I think a rename patch would need to be part of a larger
> cleanup/integration effort; otherwise it just looks like a lot of
> churn for minimal benefit.  I understand that is probably looks
> significant within the work you are doing to stack LSMs, but
> considering how rare/unique that work is, I don't think this is
> problem many people are likely to run into on a regular basis.

OK, I shan't worry about it. I suspect that I'm the only person
on the planet likely to be bothered especially much by it, and I
do have enough other kittens to fry.