On Wed, 2011-05-11 at 10:58 -0400, Eric Paris wrote: > On Wed, May 11, 2011 at 10:54 AM, John Johansen > <john.johan...@canonical.com> wrote: > > On 05/11/2011 04:52 PM, Kay Sievers wrote: > >> On Wed, May 11, 2011 at 16:43, Greg KH <g...@kroah.com> wrote: > >>> On Wed, May 11, 2011 at 04:27:59PM +0200, Kay Sievers wrote: > >>>> On Wed, May 11, 2011 at 15:54, Greg KH <g...@kroah.com> wrote: > >>>>> On Wed, May 11, 2011 at 01:22:42PM +0200, John Johansen wrote: > >>>>>> On 05/11/2011 03:59 AM, Greg KH wrote: > >>>>>>> On Tue, May 10, 2011 at 03:55:24PM -0700, Casey Schaufler wrote: > >>>>>>>> On 5/10/2011 3:34 PM, Greg KH wrote: > >>>>>>>>> From: Greg Kroah-Hartman <gre...@suse.de> > >>>>>>>>> > >>>>>>>>> In the interest of keeping userspace from having to create new root > >>>>>>>>> filesystems all the time, let's follow the lead of the other > >>>>>>>>> in-kernel > >>>>>>>>> filesystems and provide a proper mount point for it in sysfs. > >>>>>>>>> > >>>>>>>>> For selinuxfs, this mount point should be in /sys/fs/selinux/ > >>>>>>>> > >>>>>>>> It seems that we might want this to be an LSM interface standard. > >>>>>>>> Is the call to kobject_create_and_add and associated cleanup all > >>>>>>>> that's required? I would want Smack to follow the convention as > >>>>>>>> well. > >>>>>>> > >>>>>>> You could always just create a subdir under /sys/security/ if you have > >>>>>>> your own filesystem, but I don't think that Smack has one, right? > >>>>>>> > >>>>>>> Is it going to get one? If so, we might want to revisit the idea of > >>>>>>> securityfs if no one is actually using it... > >>>>>>> > >>>>>> resending, as this looks to have been lost > >>>>>> > >>>>>> AppArmor, IMA, and TOMOYO are using securityfs currently. > >>>>> > >>>>> Great, then it will not go anywhere. > >>>> > >>>> Just to get an idea how all this fits together. How can TPM bios and > >>>> IMA/AppArmor share this directory? They have their own subdirs in > >>>> there, or both just use the securityfs infrastructure and not their > >>>> own filesystem on top? > >>> > >>> Only one security module is allowed to be loaded/active at any one point > >>> in time, so they can't step on each other. > >> > >> Right, but what I don't understand is CONFIG_TCG_TPM, which seem to > >> use securityfs, and is not a LSM. This and AppArmor/IMA can be used at > >> the same time, can't it? They share securityfs then? > >> > > AppArmor, Tomoyo and IMA all create their own subdirectoy under securityfs > > so this should not be a problem > > I guess the question is, should SELinux try to move to /sys/fs/selinux > or /sys/security/selinux. The only minor issue I see with the later > is that it requires both sysfs and securityfs to be mounted before you > can mount selinuxfs, whereas the first only requires sysfs. Stephen, > Casey, either of you have thoughts on the matter?
Just clarifying for the record that securityfs has typically been mounted as /sys/kernel/security, not directly as /sys/security. So it would be /sys/kernel/security/selinux that you're discussing. Mimi _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
