[systemd-devel] [PATCH] SELINUX: add /sys/fs/selinux mount point to put selinuxfs

Eric Paris eparis at parisplace.org
Wed May 11 08:50:57 PDT 2011


On Wed, May 11, 2011 at 11:13 AM, Stephen Smalley <sds at tycho.nsa.gov> wrote:
> On Wed, 2011-05-11 at 10:58 -0400, Eric Paris wrote:
>> On Wed, May 11, 2011 at 10:54 AM, John Johansen

>> > AppArmor, Tomoyo and IMA all create their own subdirectoy under securityfs
>> > so this should not be a problem
>>
>> I guess the question is, should SELinux try to move to /sys/fs/selinux
>> or /sys/security/selinux.  The only minor issue I see with the later
>> is that it requires both sysfs and securityfs to be mounted before you
>> can mount selinuxfs, whereas the first only requires sysfs.  Stephen,
>> Casey, either of you have thoughts on the matter?
>
> Unless we plan to re-implement selinuxfs as securityfs nodes, I don't
> see why we'd move to /sys/security/selinux; we don't presently depend on
> securityfs and it isn't commonly mounted today.  selinuxfs has some
> specialized functionality that may not be trivial to reimplement via
> securityfs, and there was concern about userspace compatibility breakage
> when last we considered using securityfs.

The reason we would move to /sys/security/ instead of /sys/fs/ is
because other LSMs are already there and it would look consistent.
Obviously where selinuxfs gets mounted it determined by userspace and
is going to require a tools change.  The tools could mount securityfs
if it wasn't mounted.  Obviously it would mean SELinux would have to
select securityfs even though we didn't use it....

I'm up for either location, but I'm leaning towards /sys/security/
instead of /sys/fs if we know that's where other LSMs are going to
live...

-Eric


More information about the systemd-devel mailing list