From: Petr Lautrbach <plautrba@redhat.com>
To: Casey Schaufler <casey@schaufler-ca.com>,
Stephen Smalley <stephen.smalley.work@gmail.com>
Cc: selinux@vger.kernel.org
Subject: Re: Where to look for system services modified for SELinux
Date: Wed, 20 Mar 2024 20:15:08 +0100 [thread overview]
Message-ID: <87msqs90lf.fsf@redhat.com> (raw)
In-Reply-To: <29fcb989-bfc8-4afb-a6b0-4474f32ae996@schaufler-ca.com>
Casey Schaufler <casey@schaufler-ca.com> writes:
> On 3/20/2024 8:50 AM, Stephen Smalley wrote:
>> On Tue, Mar 19, 2024 at 7:03 PM Casey Schaufler <casey@schaufler-ca.com> wrote:
>>> It would be very helpful if I could find documentation about, or even a
>>> list of, system services that have been enhanced in support of SELinux.
>>> I'm doing this as part of the LSM stacking effort, looking for things that
>>> may require additional work for the multiple LSM environment. I already
>>> know about systemd, dbus and the pam module.
>> (re-send in plaintext mode, with some additional info appended at the end)
>>
>> There is an old list at
>> https://github.com/SELinuxProject/selinux/wiki/Userspace-Packages
>>
>> But the only way to get an accurate up-to-date list is to use your
>> favorite package manager and ask it for the list of all packages that
>> depend on libselinux. That will be more than just services of course.
>> Technically that might not get all of them since some could just be
>> directly using the xattr system calls, the /proc/pid/attr interface,
>> and/or the /sys/fs/selinux interface without using the libselinux
>> wrappers.
>>
>> Some SELinux-aware services besides the ones you listed above and not
>> in the original list on GitHub include nscd (part of glibc), sssd,
>> Xorg, PostgreSQL, libvirtd, all the modern cron variants, and various
>> container runtimes/daemons. The extent to which they use SELinux APIs
>> varies though, from those that are merely getting/setting SELinux
>> process or file contexts to full-fledged userspace object managers /
>> policy enforcers.
>>
>> Then there is a completely different list for Android, but not sure
>> you care about it.
>
> Thank you, that's been a big help. Turns out Fedora 39 installs 93
> packages with "selinux" in the title. Yoiks!
Title could be misleading as there are -selinux packages with custom
policies.
But there's about 95 packages which require libselinux:
$ sudo dnf repoquery --disablerepo=\* --enablerepo=fedora --whatrequires='libselinux.so.1()(64bit)' --qf '%{sourcerpm}' | uniq
next prev parent reply other threads:[~2024-03-20 19:15 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <41f73ba5-7d43-4a19-a373-84f05c03d95b.ref@schaufler-ca.com>
2024-03-19 22:53 ` Where to look for system services modified for SELinux Casey Schaufler
2024-03-20 15:50 ` Stephen Smalley
2024-03-20 18:08 ` Casey Schaufler
2024-03-20 19:15 ` Petr Lautrbach [this message]
2024-03-20 19:40 ` Petr Lautrbach
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87msqs90lf.fsf@redhat.com \
--to=plautrba@redhat.com \
--cc=casey@schaufler-ca.com \
--cc=selinux@vger.kernel.org \
--cc=stephen.smalley.work@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.