From: Petr Lautrbach <plautrba@redhat.com>
To: Stephen Smalley <stephen.smalley.work@gmail.com>
Cc: SElinux list <selinux@vger.kernel.org>,
Paul Moore <paul@paul-moore.com>,
Ondrej Mosnacek <omosnace@redhat.com>,
James Carter <jwcart2@gmail.com>,
Jason Zaman <perfinion@gentoo.org>,
Jeffrey Vander Stoep <jeffv@google.com>
Subject: Re: Minimum kernel version for SELinux userspace
Date: Thu, 28 May 2026 08:23:51 +0200 [thread overview]
Message-ID: <87h5nsnjbc.fsf@redhat.com> (raw)
In-Reply-To: <CAEjxPJ7y-q=sFpd51ci5OvH9Qvf5-jx-7oTWOrrrhKSvF2YMng@mail.gmail.com>
Stephen Smalley <stephen.smalley.work@gmail.com> writes:
> On Tue, May 26, 2026 at 10:52 AM Petr Lautrbach <plautrba@redhat.com> wrote:
>>
>> Stephen Smalley <stephen.smalley.work@gmail.com> writes:
>>
>> > On Thu, May 21, 2026 at 3:33 PM Stephen Smalley
>> > <stephen.smalley.work@gmail.com> wrote:
>> >>
>> >> There are newer kernel APIs we could leverage to further improve the
>> >> SELinux userspace, but doing so would require setting a minimum kernel
>> >> version for new SELinux userspace releases. Not sure we've done that
>> >> previously.
>> >>
>> >> In particular, I'd like to be able to use some or all of the following:
>> >> open_tree() + move_mount(): v5.2
>> >> openat2(RESOLVE_*): v5.6
>> >> mount_setattr(): v5.12
>> >>
>> >> The question is what if any of these can we assume to be the minimum
>> >> kernel version going forward?
>> >> - kernel.org LTS kernels span 5.10 through 6.18 currently.
>> >> - Android common kernels track LTS kernels.
>> >> - RHEL 9 kernel was 5.14-based.
>> >> - Ubuntu 22.04 kernel was 5.15-based.
>> >> - Debian 12 kernel was 6.1-based.
>> >>
>> >> I would guess we could set the minimum kernel version to v5.12 and use
>> >> all of these interfaces, at least in code not used by Android.
>> >> Thoughts?
>> >
>> > As further context, I'm only looking at open_tree(), move_mount(), and
>> > mount_setattr() for sandbox/seunshare.c and at openat2(RESOLVE_*) for
>> > sandbox/seunshare.c, restorecond/watch.c, and
>> > libselinux/src/selinux_restorecon.c. None of these are used today by
>> > Android AFAIK, although selinux_restorecon() was based on
>> > selinux_android_restorecon() and might be re-unified with it some day.
>> >
>> > It would likely also be helpful to understand whether it is worth
>> > further rewriting of sandbox/seunshare.c or if it is likely to be
>> > obsoleted/replaced in the near term.
>>
>> We don't have any specific plan other than support it in existing
>> version for release RHELs
>>
>> For future, I'd say that using bwrap could make things much easier.
>> And I would not mind to move sandbox out of SELinuxProject/selinux to its
>> own repository like SELinuxProject/sandbox.
>
> Ok, do you have an opinion on setting a minimum kernel version for
> future SELinux userspace releases (not 3.11, but say 3.12 and later)
> so we can start using some or all of these interfaces without
> requiring backward-compatibility fallbacks?
The only longterm kernel which does not support mount_setattr() seems to
be 5.10.257. And you need this only for seunshare which is not a core
component. Therefore I'd set the minimum on mount_setattr() v5.12 and
label seunshare as unsupported and let it fail on older kernels.
Petr
prev parent reply other threads:[~2026-05-28 6:24 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-21 19:33 Minimum kernel version for SELinux userspace Stephen Smalley
2026-05-26 13:34 ` Stephen Smalley
2026-05-26 14:52 ` Petr Lautrbach
2026-05-26 23:31 ` Thiébaud Weksteen
2026-05-27 19:47 ` Stephen Smalley
2026-05-28 1:28 ` Thiébaud Weksteen
2026-05-28 6:23 ` Petr Lautrbach [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87h5nsnjbc.fsf@redhat.com \
--to=plautrba@redhat.com \
--cc=jeffv@google.com \
--cc=jwcart2@gmail.com \
--cc=omosnace@redhat.com \
--cc=paul@paul-moore.com \
--cc=perfinion@gentoo.org \
--cc=selinux@vger.kernel.org \
--cc=stephen.smalley.work@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox