Re: Minimum kernel version for SELinux userspace

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Petr Lautrbach <plautrba@redhat.com>
To: Stephen Smalley <stephen.smalley.work@gmail.com>
Cc: SElinux list <selinux@vger.kernel.org>,
	Paul Moore <paul@paul-moore.com>,
	Ondrej Mosnacek <omosnace@redhat.com>,
	James Carter <jwcart2@gmail.com>,
	Jason Zaman <perfinion@gentoo.org>,
	Jeffrey Vander Stoep <jeffv@google.com>
Subject: Re: Minimum kernel version for SELinux userspace
Date: Thu, 28 May 2026 08:23:51 +0200	[thread overview]
Message-ID: <87h5nsnjbc.fsf@redhat.com> (raw)
In-Reply-To: <CAEjxPJ7y-q=sFpd51ci5OvH9Qvf5-jx-7oTWOrrrhKSvF2YMng@mail.gmail.com>

Stephen Smalley <stephen.smalley.work@gmail.com> writes:

> On Tue, May 26, 2026 at 10:52 AM Petr Lautrbach <plautrba@redhat.com> wrote:
>>
>> Stephen Smalley <stephen.smalley.work@gmail.com> writes:
>>
>> > On Thu, May 21, 2026 at 3:33 PM Stephen Smalley
>> > <stephen.smalley.work@gmail.com> wrote:
>> >>
>> >> There are newer kernel APIs we could leverage to further improve the
>> >> SELinux userspace, but doing so would require setting a minimum kernel
>> >> version for new SELinux userspace releases. Not sure we've done that
>> >> previously.
>> >>
>> >> In particular, I'd like to be able to use some or all of the following:
>> >> open_tree() + move_mount(): v5.2
>> >> openat2(RESOLVE_*): v5.6
>> >> mount_setattr(): v5.12
>> >>
>> >> The question is what if any of these can we assume to be the minimum
>> >> kernel version going forward?
>> >> - kernel.org LTS kernels span 5.10 through 6.18 currently.
>> >> - Android common kernels track LTS kernels.
>> >> - RHEL 9 kernel was 5.14-based.
>> >> - Ubuntu 22.04 kernel was 5.15-based.
>> >> - Debian 12 kernel was 6.1-based.
>> >>
>> >> I would guess we could set the minimum kernel version to v5.12 and use
>> >> all of these interfaces, at least in code not used by Android.
>> >> Thoughts?
>> >
>> > As further context, I'm only looking at open_tree(), move_mount(), and
>> > mount_setattr() for sandbox/seunshare.c and at openat2(RESOLVE_*) for
>> > sandbox/seunshare.c, restorecond/watch.c, and
>> > libselinux/src/selinux_restorecon.c. None of these are used today by
>> > Android AFAIK, although selinux_restorecon() was based on
>> > selinux_android_restorecon() and might be re-unified with it some day.
>> >
>> > It would likely also be helpful to understand whether it is worth
>> > further rewriting of sandbox/seunshare.c or if it is likely to be
>> > obsoleted/replaced in the near term.
>>
>> We don't have any specific plan other than support it in existing
>> version for release RHELs
>>
>> For future, I'd say that using bwrap could make things much easier.
>> And I would not mind to move sandbox out of SELinuxProject/selinux to its
>> own repository like SELinuxProject/sandbox.
>
> Ok, do you have an opinion on setting a minimum kernel version for
> future SELinux userspace releases (not 3.11, but say 3.12 and later)
> so we can start using some or all of these interfaces without
> requiring backward-compatibility fallbacks?

The only longterm kernel which does not support mount_setattr() seems to
be 5.10.257. And you need this only for seunshare which is not a core
component. Therefore I'd set the minimum on mount_setattr() v5.12 and
label seunshare as unsupported and let it fail on older kernels.

Petr

     prev parent reply	other threads:[~2026-05-28  6:24 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-05-21 19:33 Minimum kernel version for SELinux userspace Stephen Smalley
2026-05-26 13:34 ` Stephen Smalley
2026-05-26 14:52   ` Petr Lautrbach
2026-05-26 23:31     ` Thiébaud Weksteen
2026-05-27 19:47     ` Stephen Smalley
2026-05-28  1:28       ` Thiébaud Weksteen
2026-05-28  6:23       ` Petr Lautrbach [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87h5nsnjbc.fsf@redhat.com \
    --to=plautrba@redhat.com \
    --cc=jeffv@google.com \
    --cc=jwcart2@gmail.com \
    --cc=omosnace@redhat.com \
    --cc=paul@paul-moore.com \
    --cc=perfinion@gentoo.org \
    --cc=selinux@vger.kernel.org \
    --cc=stephen.smalley.work@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.