* Possibly re-expose the enforcing kernel cmdline parameter
@ 2025-07-30 16:10 Rahul Sandhu
2025-07-30 16:14 ` Rahul Sandhu
0 siblings, 1 reply; 4+ messages in thread
From: Rahul Sandhu @ 2025-07-30 16:10 UTC (permalink / raw)
To: selinux
Hi,
This is more of a question for the kernel guys. Currently, libselinux
also checks the enforcing kernel cmdline parameter by *mounting /proc*.
This is... not ideal; granted many situations in early boot where the
policy is loaded with selinux_init_load_policy (3) will require /proc
mounted later for things like getcon to work (given they use the /proc
api), however I don't really think this is ideal at all, especially as
often the thing loading the policy is init. Would it be possible to
reexpose the enforcing kernel cmdline parameter as part of PID 1's env?
I think would be cleaner, however I'm not sure if this goes against the
kernel's policy for anything or isn't feasible for some reason.
If this seems both reasonable and feasible, I'd be happy to send over a
patch.
Best Regards,
Rahul
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Possibly re-expose the enforcing kernel cmdline parameter
2025-07-30 16:10 Possibly re-expose the enforcing kernel cmdline parameter Rahul Sandhu
@ 2025-07-30 16:14 ` Rahul Sandhu
2025-07-30 16:26 ` Stephen Smalley
0 siblings, 1 reply; 4+ messages in thread
From: Rahul Sandhu @ 2025-07-30 16:14 UTC (permalink / raw)
To: nvraxn; +Cc: selinux
I should add: I think this is reasonable because it is expected that
userspace will also make use of the enforcing parameter (I mean, the
userspace SELinux library does, so this doesn't seem unreasonable to
assume to me) and not just the kernel, but of course open to comments
and suggestions.
Best Regards,
Rahul
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Possibly re-expose the enforcing kernel cmdline parameter
2025-07-30 16:14 ` Rahul Sandhu
@ 2025-07-30 16:26 ` Stephen Smalley
2025-07-30 16:28 ` Rahul Sandhu
0 siblings, 1 reply; 4+ messages in thread
From: Stephen Smalley @ 2025-07-30 16:26 UTC (permalink / raw)
To: Rahul Sandhu; +Cc: selinux
On Wed, Jul 30, 2025 at 12:18 PM Rahul Sandhu <nvraxn@gmail.com> wrote:
>
> I should add: I think this is reasonable because it is expected that
> userspace will also make use of the enforcing parameter (I mean, the
> userspace SELinux library does, so this doesn't seem unreasonable to
> assume to me) and not just the kernel, but of course open to comments
> and suggestions.
In the init/main.c file in the kernel source tree, there is a comment
that says "modprobe will find them in /proc/cmdline", so expecting
userspace to read /proc/cmdline seems normal. git grep /proc/cmdline
in the systemd source tree turns up lots of references that indicate
it expects to be able to read it regardless of what libselinux does.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Possibly re-expose the enforcing kernel cmdline parameter
2025-07-30 16:26 ` Stephen Smalley
@ 2025-07-30 16:28 ` Rahul Sandhu
0 siblings, 0 replies; 4+ messages in thread
From: Rahul Sandhu @ 2025-07-30 16:28 UTC (permalink / raw)
To: stephen.smalley.work; +Cc: nvraxn, selinux
> In the init/main.c file in the kernel source tree, there is a comment
> that says "modprobe will find them in /proc/cmdline", so expecting
> userspace to read /proc/cmdline seems normal. git grep /proc/cmdline
> in the systemd source tree turns up lots of references that indicate
> it expects to be able to read it regardless of what libselinux does.
Okay, that seems reasonable then, thanks.
Best Regards,
Rahul
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2025-07-30 16:28 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-07-30 16:10 Possibly re-expose the enforcing kernel cmdline parameter Rahul Sandhu
2025-07-30 16:14 ` Rahul Sandhu
2025-07-30 16:26 ` Stephen Smalley
2025-07-30 16:28 ` Rahul Sandhu
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.