[systemd-devel] [PATCH] SELINUX: add /sys/fs/selinux mountpoint to put selinuxfs

[Greg KH]

On Thu, May 12, 2011 at 07:14:29AM +0900, Tetsuo Handa wrote:
> Mimi Zohar wrote:
> > Just clarifying for the record that securityfs has typically been
> > mounted as /sys/kernel/security, not directly as /sys/security. So it
> > would be /sys/kernel/security/selinux that you're discussing.
> 
> Mounting securityfs on /sys/kernel/security/ is a bit tricky.
> /sys/ likely exists in all distros using 2.6 kernels.

It is almost guaranteed, I know of no Linux systems that do not mount
sysfs, do you?

> However, openSuSE has /sys/kernel/debug/ directory on the / partition (i.e.
> /sys/kernel/ exists even if sysfs is not yet mounted). Userland tools that
> assume that sysfs is already mounted on /sys/ if /sys/kernel/ exists will fail.

That's a bug in openSUSE, please file it and it will be fixed.

Userspace should always be able to assume that sysfs is mounted on /sys/
now.

> Also, userland tools have to mount /sys/ on sysfs if it is not yet mounted
> (e.g. as of /sbin/init starts) before mounting securityfs on
> /sys/kernel/security/ .

That's what the distro startup logic is for.  Remember, this whole
thread started on the systemd mailing list talking about this very logic :)

> Also userland tools which was executed as of /sbin/init
> starts have to unmount /sys/ and /sys/kernel/security/ before continuing boot
> procedure, or some distributions fails to boot at mounting /sys/ (which is
> listed on /etc/fstab) if /sys/ was already mounted.

I don't understand.

> Personally, /proc/security/$modulename/ would reduce dependency and make
> things simpler.

No, sorry, no more proc files please.

/sys should always be there just like /proc should be.

thanks,

greg k-h