On 04/29/2011 06:56 PM, Lennart Poettering wrote:
> On Fri, 29.04.11 00:37, Michał Piotrowski (mkkp4x4@gmail.com) wrote:
>
>> Hi,
>>
>> I think it's a very good decision - I never understood why selinux dir
>> is directly under /.
>
> Yes, I think this would be a good thing to have in F16.
>
> Note however that this needs a tiny kernel patch to work, to create the
> mount point under /sys/fs/selinux. This is a trivial patch and has been
> done for /sys/fs/cgroup before, so I assume this would be easy to get
> in and just needs a champion to push this forward.
>
>> By the way, maybe it would be good to think about the meaning of /srv
>> existance? For seven years FHS requires that this directory exists
>> http://www.pathname.com/fhs/pub/fhs-2.3.html#PURPOSE16A
>> but "The methodology used to name subdirectories of /srv is
>> unspecified as there is currently no consensus on how this should be
>> done" - so even the authors of the standard did not have anything to
>> say about how this directory should be used. Is there a rational
>> reason for the existence of this directory besides FHS conformance?
>
> I think /srv actually makes a lot of sense. Probably not so much on the
> desktop, but the boundaries are blurry, and I see no reason to set
> things up differently in this respect between servers and desktops. I
> see little benefit in removing this directory.
>
> Lennart
>
I think moving /selinux is a bit more complicated then just a simple
kernel change. We have libselinux changes, Lots of tools have learned
over the years the path of /selinux and lots of users know about it.
I am willing to work towards the goal of moving /selinux, but I might
end up with a symbolic link if we can not fix all of the problems.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
On Fri, 29.04.11 11:21, Daniel J Walsh (dwalsh@redhat.com) wrote:
> > I guess I missed some discussion of this. You'd need to update
> > libselinux at least, definition of SELINUXMNT in
> > libselinux/src/policy.h, used by selinux_init_load_policy() to mount
> > selinuxfs for initial policy load. And it may break rc scripts and
> > other scripts/programs that have become accustomed to /selinux.
> >
>
> Here is the patch I am thinking about.
>
> I think mock might need to be updated, maybe livecd tools.
>
>
> + /* We check to see if the original mount point for selinux file
> + * system has a selinuxfs. */
> + do {
> + rc = statfs("/selinux", &sfbuf);
> + } while (rc < 0 && errno == EINTR);
> + if (rc == 0) {
> + if ((uint32_t)sfbuf.f_type == (uint32_t)SELINUX_MAGIC) {
> + selinux_mnt = strdup("/selinux");
> + return;
> + }
I like the patch.
One little feature request where we already are on this:
Given that there is a statfs() in here anyway, could we also maybe
extend this a tiny bit, and add a statvfs() call as well, and if
ST_RDONLY is set in .f_flag consider selinux to be off? That would be
very handy in containers/chroots and stuff like that, where you might
want to make the container assume selinux is off even though the host
has it enabled. If the container/chroot manager simply bind mounts
/selinux into the namespace read-only this would then be an effective
way to make selinux appear off to the container code.
I think using whether /selinux is read-only as a flag for selinux off is
a pretty natural nice way.
mock currently tries do work-around this by placing a fake
/proc/filesystems file in the namespace, and I think that's quite
ugly. Using read-only /selinux as flag appears much nicer to me, since
it in itself already disables a number of selinux operations.
Lennart
--
Lennart Poettering - Red Hat, Inc.
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
On Fri, 29.04.11 11:07, Stephen Smalley (sds@tycho.nsa.gov) wrote:
> On Fri, 2011-04-29 at 00:37 +0200, Michał Piotrowski wrote:
> > Hi,
> >
> > I think it's a very good decision - I never understood why selinux dir
> > is directly under /.
>
> I guess I missed some discussion of this. You'd need to update
> libselinux at least, definition of SELINUXMNT in
> libselinux/src/policy.h, used by selinux_init_load_policy() to mount
> selinuxfs for initial policy load. And it may break rc scripts and
> other scripts/programs that have become accustomed to /selinux.
Yupp, systemd would also need a fix for this. But I'd be more than happy
to make this change.
Lennart
--
Lennart Poettering - Red Hat, Inc.
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
systemd - move /selinux to /sys/fs/selinux - maybe remove /srv ?
