FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Development

 
 
LinkBack Thread Tools
 
Old 04-29-2011, 11:07 PM
Daniel J Walsh
 
Default systemd - move /selinux to /sys/fs/selinux - maybe remove /srv ?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/29/2011 06:56 PM, Lennart Poettering wrote:
> On Fri, 29.04.11 00:37, Michał Piotrowski (mkkp4x4@gmail.com) wrote:
>
>> Hi,
>>
>> I think it's a very good decision - I never understood why selinux dir
>> is directly under /.
>
> Yes, I think this would be a good thing to have in F16.
>
> Note however that this needs a tiny kernel patch to work, to create the
> mount point under /sys/fs/selinux. This is a trivial patch and has been
> done for /sys/fs/cgroup before, so I assume this would be easy to get
> in and just needs a champion to push this forward.
>
>> By the way, maybe it would be good to think about the meaning of /srv
>> existance? For seven years FHS requires that this directory exists
>> http://www.pathname.com/fhs/pub/fhs-2.3.html#PURPOSE16A
>> but "The methodology used to name subdirectories of /srv is
>> unspecified as there is currently no consensus on how this should be
>> done" - so even the authors of the standard did not have anything to
>> say about how this directory should be used. Is there a rational
>> reason for the existence of this directory besides FHS conformance?
>
> I think /srv actually makes a lot of sense. Probably not so much on the
> desktop, but the boundaries are blurry, and I see no reason to set
> things up differently in this respect between servers and desktops. I
> see little benefit in removing this directory.
>
> Lennart
>
I think moving /selinux is a bit more complicated then just a simple
kernel change. We have libselinux changes, Lots of tools have learned
over the years the path of /selinux and lots of users know about it.

I am willing to work towards the goal of moving /selinux, but I might
end up with a symbolic link if we can not fix all of the problems.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk27RKUACgkQrlYvE4MpobOCoACgvLrAnXtzvx V7ztHP4aiGr8Df
VZ4AnAnqTzUofp62+IHkc9WmTvh74sRE
=NLi7
-----END PGP SIGNATURE-----
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 04-29-2011, 11:08 PM
Lennart Poettering
 
Default systemd - move /selinux to /sys/fs/selinux - maybe remove /srv ?

On Fri, 29.04.11 11:21, Daniel J Walsh (dwalsh@redhat.com) wrote:

> > I guess I missed some discussion of this. You'd need to update
> > libselinux at least, definition of SELINUXMNT in
> > libselinux/src/policy.h, used by selinux_init_load_policy() to mount
> > selinuxfs for initial policy load. And it may break rc scripts and
> > other scripts/programs that have become accustomed to /selinux.
> >
>
> Here is the patch I am thinking about.
>
> I think mock might need to be updated, maybe livecd tools.
>
>
> + /* We check to see if the original mount point for selinux file
> + * system has a selinuxfs. */
> + do {
> + rc = statfs("/selinux", &sfbuf);
> + } while (rc < 0 && errno == EINTR);
> + if (rc == 0) {
> + if ((uint32_t)sfbuf.f_type == (uint32_t)SELINUX_MAGIC) {
> + selinux_mnt = strdup("/selinux");
> + return;
> + }

I like the patch.

One little feature request where we already are on this:

Given that there is a statfs() in here anyway, could we also maybe
extend this a tiny bit, and add a statvfs() call as well, and if
ST_RDONLY is set in .f_flag consider selinux to be off? That would be
very handy in containers/chroots and stuff like that, where you might
want to make the container assume selinux is off even though the host
has it enabled. If the container/chroot manager simply bind mounts
/selinux into the namespace read-only this would then be an effective
way to make selinux appear off to the container code.

I think using whether /selinux is read-only as a flag for selinux off is
a pretty natural nice way.

mock currently tries do work-around this by placing a fake
/proc/filesystems file in the namespace, and I think that's quite
ugly. Using read-only /selinux as flag appears much nicer to me, since
it in itself already disables a number of selinux operations.

Lennart

--
Lennart Poettering - Red Hat, Inc.
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 04-29-2011, 11:11 PM
Lennart Poettering
 
Default systemd - move /selinux to /sys/fs/selinux - maybe remove /srv ?

On Fri, 29.04.11 11:07, Stephen Smalley (sds@tycho.nsa.gov) wrote:

> On Fri, 2011-04-29 at 00:37 +0200, Michał Piotrowski wrote:
> > Hi,
> >
> > I think it's a very good decision - I never understood why selinux dir
> > is directly under /.
>
> I guess I missed some discussion of this. You'd need to update
> libselinux at least, definition of SELINUXMNT in
> libselinux/src/policy.h, used by selinux_init_load_policy() to mount
> selinuxfs for initial policy load. And it may break rc scripts and
> other scripts/programs that have become accustomed to /selinux.

Yupp, systemd would also need a fix for this. But I'd be more than happy
to make this change.

Lennart

--
Lennart Poettering - Red Hat, Inc.
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 

Thread Tools




All times are GMT. The time now is 10:19 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org