[systemd-devel] [PATCH] SELINUX: add /sys/fs/selinux mount point to put selinuxfs

Greg KH greg at kroah.com
Mon May 2 15:02:42 PDT 2011 

On Mon, May 02, 2011 at 09:24:40AM -0400, Stephen Smalley wrote:
> On Fri, 2011-04-29 at 18:19 -0700, Greg KH wrote:
> > From: Greg Kroah-Hartman <gregkh at suse.de>
> > 
> > In the interest of keeping userspace from having to create new root
> > filesystems all the time, let's follow the lead of the other in-kernel
> > filesystems and provide a proper mount point for it in sysfs.
> > 
> > For selinuxfs, this mount point should be in /sys/fs/selinux/
> > 
> > Cc: Stephen Smalley <sds at tycho.nsa.gov>
> > Cc: James Morris <jmorris at namei.org>
> > Cc: Eric Paris <eparis at parisplace.org>
> > Cc: Lennart Poettering <mzerqung at 0pointer.de>
> > Cc: Daniel J Walsh <dwalsh at redhat.com>
> > Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
> > 
> > ---
> > 
> > Note, patch is untested, I don't have any selinux-based machines here,
> > sorry.
> 
> If I understand correctly, the patch won't change any userspace-visible
> behavior until one has a new libselinux that actually mounts selinuxfs
> on /sys/fs/selinux instead of /selinux, right?

Correct.

> At that point, we have to ensure that all userspace that directly
> references /selinux rather than using libselinux is changed to use
> libselinux.  You might argue that all such userspace is broken already,
> but given that selinuxfs has been mounted on /selinux ever since SELinux
> went into mainline in 2003 and , it is difficult to blame them.  Using
> codesearch.google.com on
> e.g. /selinux/enforce, /selinux/load, /selinux/booleans, /selinux/mls,
> etc turns up a number of examples, including glibc (a test case),
> puppet, dracut, anaconda, etc.
> 
> Policy implication:  Any program that needs to access selinuxfs will
> need to be able to search sysfs too.
> 
> Added dependency:  Any system that uses SELinux will need to enable and
> mount sysfs (or alternatively create at least a fake /sys/fs directory).
> I assume that sysfs is fairly universal at this point though, like proc?

Yes it is.

Care to forward this on to James for the next kernel merge window?

thanks,

greg k-h

More information about the systemd-devel mailing list