* Minimum kernel version for SELinux userspace @ 2026-05-21 19:33 Stephen Smalley 2026-05-26 13:34 ` Stephen Smalley 0 siblings, 1 reply; 7+ messages in thread From: Stephen Smalley @ 2026-05-21 19:33 UTC (permalink / raw) To: SElinux list Cc: Paul Moore, Ondrej Mosnacek, Petr Lautrbach, James Carter, Jason Zaman, Jeffrey Vander Stoep There are newer kernel APIs we could leverage to further improve the SELinux userspace, but doing so would require setting a minimum kernel version for new SELinux userspace releases. Not sure we've done that previously. In particular, I'd like to be able to use some or all of the following: open_tree() + move_mount(): v5.2 openat2(RESOLVE_*): v5.6 mount_setattr(): v5.12 The question is what if any of these can we assume to be the minimum kernel version going forward? - kernel.org LTS kernels span 5.10 through 6.18 currently. - Android common kernels track LTS kernels. - RHEL 9 kernel was 5.14-based. - Ubuntu 22.04 kernel was 5.15-based. - Debian 12 kernel was 6.1-based. I would guess we could set the minimum kernel version to v5.12 and use all of these interfaces, at least in code not used by Android. Thoughts? ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Minimum kernel version for SELinux userspace 2026-05-21 19:33 Minimum kernel version for SELinux userspace Stephen Smalley @ 2026-05-26 13:34 ` Stephen Smalley 2026-05-26 14:52 ` Petr Lautrbach 0 siblings, 1 reply; 7+ messages in thread From: Stephen Smalley @ 2026-05-26 13:34 UTC (permalink / raw) To: SElinux list Cc: Paul Moore, Ondrej Mosnacek, Petr Lautrbach, James Carter, Jason Zaman, Jeffrey Vander Stoep On Thu, May 21, 2026 at 3:33 PM Stephen Smalley <stephen.smalley.work@gmail.com> wrote: > > There are newer kernel APIs we could leverage to further improve the > SELinux userspace, but doing so would require setting a minimum kernel > version for new SELinux userspace releases. Not sure we've done that > previously. > > In particular, I'd like to be able to use some or all of the following: > open_tree() + move_mount(): v5.2 > openat2(RESOLVE_*): v5.6 > mount_setattr(): v5.12 > > The question is what if any of these can we assume to be the minimum > kernel version going forward? > - kernel.org LTS kernels span 5.10 through 6.18 currently. > - Android common kernels track LTS kernels. > - RHEL 9 kernel was 5.14-based. > - Ubuntu 22.04 kernel was 5.15-based. > - Debian 12 kernel was 6.1-based. > > I would guess we could set the minimum kernel version to v5.12 and use > all of these interfaces, at least in code not used by Android. > Thoughts? As further context, I'm only looking at open_tree(), move_mount(), and mount_setattr() for sandbox/seunshare.c and at openat2(RESOLVE_*) for sandbox/seunshare.c, restorecond/watch.c, and libselinux/src/selinux_restorecon.c. None of these are used today by Android AFAIK, although selinux_restorecon() was based on selinux_android_restorecon() and might be re-unified with it some day. It would likely also be helpful to understand whether it is worth further rewriting of sandbox/seunshare.c or if it is likely to be obsoleted/replaced in the near term. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Minimum kernel version for SELinux userspace 2026-05-26 13:34 ` Stephen Smalley @ 2026-05-26 14:52 ` Petr Lautrbach 2026-05-26 23:31 ` Thiébaud Weksteen 2026-05-27 19:47 ` Stephen Smalley 0 siblings, 2 replies; 7+ messages in thread From: Petr Lautrbach @ 2026-05-26 14:52 UTC (permalink / raw) To: Stephen Smalley, SElinux list Cc: Paul Moore, Ondrej Mosnacek, James Carter, Jason Zaman, Jeffrey Vander Stoep Stephen Smalley <stephen.smalley.work@gmail.com> writes: > On Thu, May 21, 2026 at 3:33 PM Stephen Smalley > <stephen.smalley.work@gmail.com> wrote: >> >> There are newer kernel APIs we could leverage to further improve the >> SELinux userspace, but doing so would require setting a minimum kernel >> version for new SELinux userspace releases. Not sure we've done that >> previously. >> >> In particular, I'd like to be able to use some or all of the following: >> open_tree() + move_mount(): v5.2 >> openat2(RESOLVE_*): v5.6 >> mount_setattr(): v5.12 >> >> The question is what if any of these can we assume to be the minimum >> kernel version going forward? >> - kernel.org LTS kernels span 5.10 through 6.18 currently. >> - Android common kernels track LTS kernels. >> - RHEL 9 kernel was 5.14-based. >> - Ubuntu 22.04 kernel was 5.15-based. >> - Debian 12 kernel was 6.1-based. >> >> I would guess we could set the minimum kernel version to v5.12 and use >> all of these interfaces, at least in code not used by Android. >> Thoughts? > > As further context, I'm only looking at open_tree(), move_mount(), and > mount_setattr() for sandbox/seunshare.c and at openat2(RESOLVE_*) for > sandbox/seunshare.c, restorecond/watch.c, and > libselinux/src/selinux_restorecon.c. None of these are used today by > Android AFAIK, although selinux_restorecon() was based on > selinux_android_restorecon() and might be re-unified with it some day. > > It would likely also be helpful to understand whether it is worth > further rewriting of sandbox/seunshare.c or if it is likely to be > obsoleted/replaced in the near term. We don't have any specific plan other than support it in existing version for release RHELs For future, I'd say that using bwrap could make things much easier. And I would not mind to move sandbox out of SELinuxProject/selinux to its own repository like SELinuxProject/sandbox. Petr ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Minimum kernel version for SELinux userspace 2026-05-26 14:52 ` Petr Lautrbach @ 2026-05-26 23:31 ` Thiébaud Weksteen 2026-05-27 19:47 ` Stephen Smalley 1 sibling, 0 replies; 7+ messages in thread From: Thiébaud Weksteen @ 2026-05-26 23:31 UTC (permalink / raw) To: Petr Lautrbach Cc: Stephen Smalley, SElinux list, Paul Moore, Ondrej Mosnacek, James Carter, Jason Zaman, Jeffrey Vander Stoep On Wed, May 27, 2026 at 1:00 AM Petr Lautrbach <plautrba@redhat.com> wrote: > > Stephen Smalley <stephen.smalley.work@gmail.com> writes: > > > On Thu, May 21, 2026 at 3:33 PM Stephen Smalley > > <stephen.smalley.work@gmail.com> wrote: > >> > >> There are newer kernel APIs we could leverage to further improve the > >> SELinux userspace, but doing so would require setting a minimum kernel > >> version for new SELinux userspace releases. Not sure we've done that > >> previously. > >> > >> In particular, I'd like to be able to use some or all of the following: > >> open_tree() + move_mount(): v5.2 > >> openat2(RESOLVE_*): v5.6 > >> mount_setattr(): v5.12 > >> > >> The question is what if any of these can we assume to be the minimum > >> kernel version going forward? > >> - kernel.org LTS kernels span 5.10 through 6.18 currently. > >> - Android common kernels track LTS kernels. > >> - RHEL 9 kernel was 5.14-based. > >> - Ubuntu 22.04 kernel was 5.15-based. > >> - Debian 12 kernel was 6.1-based. > >> > >> I would guess we could set the minimum kernel version to v5.12 and use > >> all of these interfaces, at least in code not used by Android. > >> Thoughts? > > > > As further context, I'm only looking at open_tree(), move_mount(), and > > mount_setattr() for sandbox/seunshare.c and at openat2(RESOLVE_*) for > > sandbox/seunshare.c, restorecond/watch.c, and > > libselinux/src/selinux_restorecon.c. None of these are used today by > > Android AFAIK, although selinux_restorecon() was based on > > selinux_android_restorecon() and might be re-unified with it some day. Thanks for modernizing the codebase and sharing the plan Stephen. I don't see any issue on the Android side. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Minimum kernel version for SELinux userspace 2026-05-26 14:52 ` Petr Lautrbach 2026-05-26 23:31 ` Thiébaud Weksteen @ 2026-05-27 19:47 ` Stephen Smalley 2026-05-28 1:28 ` Thiébaud Weksteen 2026-05-28 6:23 ` Petr Lautrbach 1 sibling, 2 replies; 7+ messages in thread From: Stephen Smalley @ 2026-05-27 19:47 UTC (permalink / raw) To: Petr Lautrbach Cc: SElinux list, Paul Moore, Ondrej Mosnacek, James Carter, Jason Zaman, Jeffrey Vander Stoep On Tue, May 26, 2026 at 10:52 AM Petr Lautrbach <plautrba@redhat.com> wrote: > > Stephen Smalley <stephen.smalley.work@gmail.com> writes: > > > On Thu, May 21, 2026 at 3:33 PM Stephen Smalley > > <stephen.smalley.work@gmail.com> wrote: > >> > >> There are newer kernel APIs we could leverage to further improve the > >> SELinux userspace, but doing so would require setting a minimum kernel > >> version for new SELinux userspace releases. Not sure we've done that > >> previously. > >> > >> In particular, I'd like to be able to use some or all of the following: > >> open_tree() + move_mount(): v5.2 > >> openat2(RESOLVE_*): v5.6 > >> mount_setattr(): v5.12 > >> > >> The question is what if any of these can we assume to be the minimum > >> kernel version going forward? > >> - kernel.org LTS kernels span 5.10 through 6.18 currently. > >> - Android common kernels track LTS kernels. > >> - RHEL 9 kernel was 5.14-based. > >> - Ubuntu 22.04 kernel was 5.15-based. > >> - Debian 12 kernel was 6.1-based. > >> > >> I would guess we could set the minimum kernel version to v5.12 and use > >> all of these interfaces, at least in code not used by Android. > >> Thoughts? > > > > As further context, I'm only looking at open_tree(), move_mount(), and > > mount_setattr() for sandbox/seunshare.c and at openat2(RESOLVE_*) for > > sandbox/seunshare.c, restorecond/watch.c, and > > libselinux/src/selinux_restorecon.c. None of these are used today by > > Android AFAIK, although selinux_restorecon() was based on > > selinux_android_restorecon() and might be re-unified with it some day. > > > > It would likely also be helpful to understand whether it is worth > > further rewriting of sandbox/seunshare.c or if it is likely to be > > obsoleted/replaced in the near term. > > We don't have any specific plan other than support it in existing > version for release RHELs > > For future, I'd say that using bwrap could make things much easier. > And I would not mind to move sandbox out of SELinuxProject/selinux to its > own repository like SELinuxProject/sandbox. Ok, do you have an opinion on setting a minimum kernel version for future SELinux userspace releases (not 3.11, but say 3.12 and later) so we can start using some or all of these interfaces without requiring backward-compatibility fallbacks? ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Minimum kernel version for SELinux userspace 2026-05-27 19:47 ` Stephen Smalley @ 2026-05-28 1:28 ` Thiébaud Weksteen 2026-05-28 6:23 ` Petr Lautrbach 1 sibling, 0 replies; 7+ messages in thread From: Thiébaud Weksteen @ 2026-05-28 1:28 UTC (permalink / raw) To: Stephen Smalley Cc: Petr Lautrbach, SElinux list, Paul Moore, Ondrej Mosnacek, James Carter, Jason Zaman, Jeffrey Vander Stoep On Thu, May 28, 2026 at 5:48 AM Stephen Smalley <stephen.smalley.work@gmail.com> wrote: > > On Tue, May 26, 2026 at 10:52 AM Petr Lautrbach <plautrba@redhat.com> wrote: > > > > Stephen Smalley <stephen.smalley.work@gmail.com> writes: > > > > > On Thu, May 21, 2026 at 3:33 PM Stephen Smalley > > > <stephen.smalley.work@gmail.com> wrote: > > >> > > >> There are newer kernel APIs we could leverage to further improve the > > >> SELinux userspace, but doing so would require setting a minimum kernel > > >> version for new SELinux userspace releases. Not sure we've done that > > >> previously. > > >> > > >> In particular, I'd like to be able to use some or all of the following: > > >> open_tree() + move_mount(): v5.2 > > >> openat2(RESOLVE_*): v5.6 > > >> mount_setattr(): v5.12 > > >> > > >> The question is what if any of these can we assume to be the minimum > > >> kernel version going forward? > > >> - kernel.org LTS kernels span 5.10 through 6.18 currently. > > >> - Android common kernels track LTS kernels. > > >> - RHEL 9 kernel was 5.14-based. > > >> - Ubuntu 22.04 kernel was 5.15-based. > > >> - Debian 12 kernel was 6.1-based. > > >> > > >> I would guess we could set the minimum kernel version to v5.12 and use > > >> all of these interfaces, at least in code not used by Android. > > >> Thoughts? > > > > > > As further context, I'm only looking at open_tree(), move_mount(), and > > > mount_setattr() for sandbox/seunshare.c and at openat2(RESOLVE_*) for > > > sandbox/seunshare.c, restorecond/watch.c, and > > > libselinux/src/selinux_restorecon.c. None of these are used today by > > > Android AFAIK, although selinux_restorecon() was based on > > > selinux_android_restorecon() and might be re-unified with it some day. > > > > > > It would likely also be helpful to understand whether it is worth > > > further rewriting of sandbox/seunshare.c or if it is likely to be > > > obsoleted/replaced in the near term. > > > > We don't have any specific plan other than support it in existing > > version for release RHELs > > > > For future, I'd say that using bwrap could make things much easier. > > And I would not mind to move sandbox out of SELinuxProject/selinux to its > > own repository like SELinuxProject/sandbox. > > Ok, do you have an opinion on setting a minimum kernel version for > future SELinux userspace releases (not 3.11, but say 3.12 and later) > so we can start using some or all of these interfaces without > requiring backward-compatibility fallbacks? > The most up-to-date documentation for this discussion is the compatibility matrix [1]. It matches the kernel versions we support to their Android versions. Since we only pull in the latest libselinux for the latest Android version, you can focus on the top row. As you mentioned, this aligns with the LTS versions. Currently, Android 17 will be the last release to support 5.10. The next version will be 5.15. To your question, it depends when you expect 3.12 to be released. 5.15 would be a safe bet right now. [1] https://source.android.com/docs/core/architecture/kernel/android-common#compatibility-matrix ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Minimum kernel version for SELinux userspace 2026-05-27 19:47 ` Stephen Smalley 2026-05-28 1:28 ` Thiébaud Weksteen @ 2026-05-28 6:23 ` Petr Lautrbach 1 sibling, 0 replies; 7+ messages in thread From: Petr Lautrbach @ 2026-05-28 6:23 UTC (permalink / raw) To: Stephen Smalley Cc: SElinux list, Paul Moore, Ondrej Mosnacek, James Carter, Jason Zaman, Jeffrey Vander Stoep Stephen Smalley <stephen.smalley.work@gmail.com> writes: > On Tue, May 26, 2026 at 10:52 AM Petr Lautrbach <plautrba@redhat.com> wrote: >> >> Stephen Smalley <stephen.smalley.work@gmail.com> writes: >> >> > On Thu, May 21, 2026 at 3:33 PM Stephen Smalley >> > <stephen.smalley.work@gmail.com> wrote: >> >> >> >> There are newer kernel APIs we could leverage to further improve the >> >> SELinux userspace, but doing so would require setting a minimum kernel >> >> version for new SELinux userspace releases. Not sure we've done that >> >> previously. >> >> >> >> In particular, I'd like to be able to use some or all of the following: >> >> open_tree() + move_mount(): v5.2 >> >> openat2(RESOLVE_*): v5.6 >> >> mount_setattr(): v5.12 >> >> >> >> The question is what if any of these can we assume to be the minimum >> >> kernel version going forward? >> >> - kernel.org LTS kernels span 5.10 through 6.18 currently. >> >> - Android common kernels track LTS kernels. >> >> - RHEL 9 kernel was 5.14-based. >> >> - Ubuntu 22.04 kernel was 5.15-based. >> >> - Debian 12 kernel was 6.1-based. >> >> >> >> I would guess we could set the minimum kernel version to v5.12 and use >> >> all of these interfaces, at least in code not used by Android. >> >> Thoughts? >> > >> > As further context, I'm only looking at open_tree(), move_mount(), and >> > mount_setattr() for sandbox/seunshare.c and at openat2(RESOLVE_*) for >> > sandbox/seunshare.c, restorecond/watch.c, and >> > libselinux/src/selinux_restorecon.c. None of these are used today by >> > Android AFAIK, although selinux_restorecon() was based on >> > selinux_android_restorecon() and might be re-unified with it some day. >> > >> > It would likely also be helpful to understand whether it is worth >> > further rewriting of sandbox/seunshare.c or if it is likely to be >> > obsoleted/replaced in the near term. >> >> We don't have any specific plan other than support it in existing >> version for release RHELs >> >> For future, I'd say that using bwrap could make things much easier. >> And I would not mind to move sandbox out of SELinuxProject/selinux to its >> own repository like SELinuxProject/sandbox. > > Ok, do you have an opinion on setting a minimum kernel version for > future SELinux userspace releases (not 3.11, but say 3.12 and later) > so we can start using some or all of these interfaces without > requiring backward-compatibility fallbacks? The only longterm kernel which does not support mount_setattr() seems to be 5.10.257. And you need this only for seunshare which is not a core component. Therefore I'd set the minimum on mount_setattr() v5.12 and label seunshare as unsupported and let it fail on older kernels. Petr ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2026-05-28 6:24 UTC | newest] Thread overview: 7+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2026-05-21 19:33 Minimum kernel version for SELinux userspace Stephen Smalley 2026-05-26 13:34 ` Stephen Smalley 2026-05-26 14:52 ` Petr Lautrbach 2026-05-26 23:31 ` Thiébaud Weksteen 2026-05-27 19:47 ` Stephen Smalley 2026-05-28 1:28 ` Thiébaud Weksteen 2026-05-28 6:23 ` Petr Lautrbach
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.