[systemd-devel] [PATCH] SELINUX: add /sys/fs/selinux mount point to put selinuxfs

Wed May 11 07:54:38 PDT 2011

On Wed, 2011-05-11 at 16:27 +0200, Kay Sievers wrote:
> On Wed, May 11, 2011 at 15:54, Greg KH <greg at kroah.com> wrote:
> > On Wed, May 11, 2011 at 01:22:42PM +0200, John Johansen wrote:
> >> On 05/11/2011 03:59 AM, Greg KH wrote:
> >> > On Tue, May 10, 2011 at 03:55:24PM -0700, Casey Schaufler wrote:
> >> >> On 5/10/2011 3:34 PM, Greg KH wrote:
> >> >>> From: Greg Kroah-Hartman <gregkh at suse.de>
> >> >>>
> >> >>> In the interest of keeping userspace from having to create new root
> >> >>> filesystems all the time, let's follow the lead of the other in-kernel
> >> >>> filesystems and provide a proper mount point for it in sysfs.
> >> >>>
> >> >>> For selinuxfs, this mount point should be in /sys/fs/selinux/
> >> >>
> >> >> It seems that we might want this to be an LSM interface standard.
> >> >> Is the call to kobject_create_and_add and associated cleanup all
> >> >> that's required? I would want Smack to follow the convention as
> >> >> well.
> >> >
> >> > You could always just create a subdir under /sys/security/ if you have
> >> > your own filesystem, but I don't think that Smack has one, right?
> >> >
> >> > Is it going to get one?  If so, we might want to revisit the idea of
> >> > securityfs if no one is actually using it...
> >> >
> >> resending, as this looks to have been lost
> >>
> >> AppArmor, IMA, and TOMOYO are using securityfs currently.
> >
> > Great, then it will not go anywhere.
> 
> Just to get an idea how all this fits together. How can TPM bios and
> IMA/AppArmor share this directory? They have their own subdirs in
> there, or both just use the securityfs infrastructure and not their
> own filesystem on top?

They create their own subdirs under /sys/kernel/security.
tpm0, ima, apparmor, etc.
They create nodes in securityfs rather than implementing their own
pseudo filesystem type.

-- 
Stephen Smalley
National Security Agency