On 5/11/2011 7:58 AM, Eric Paris wrote: > On Wed, May 11, 2011 at 10:54 AM, John Johansen > <john.johan...@canonical.com> wrote: >> On 05/11/2011 04:52 PM, Kay Sievers wrote: >>> On Wed, May 11, 2011 at 16:43, Greg KH <g...@kroah.com> wrote: >>>> On Wed, May 11, 2011 at 04:27:59PM +0200, Kay Sievers wrote: >>>>> On Wed, May 11, 2011 at 15:54, Greg KH <g...@kroah.com> wrote: >>>>>> On Wed, May 11, 2011 at 01:22:42PM +0200, John Johansen wrote: >>>>>>> On 05/11/2011 03:59 AM, Greg KH wrote: >>>>>>>> On Tue, May 10, 2011 at 03:55:24PM -0700, Casey Schaufler wrote: >>>>>>>>> On 5/10/2011 3:34 PM, Greg KH wrote: >>>>>>>>>> From: Greg Kroah-Hartman <gre...@suse.de> >>>>>>>>>> >>>>>>>>>> In the interest of keeping userspace from having to create new root >>>>>>>>>> filesystems all the time, let's follow the lead of the other >>>>>>>>>> in-kernel >>>>>>>>>> filesystems and provide a proper mount point for it in sysfs. >>>>>>>>>> >>>>>>>>>> For selinuxfs, this mount point should be in /sys/fs/selinux/ >>>>>>>>> It seems that we might want this to be an LSM interface standard. >>>>>>>>> Is the call to kobject_create_and_add and associated cleanup all >>>>>>>>> that's required? I would want Smack to follow the convention as >>>>>>>>> well. >>>>>>>> You could always just create a subdir under /sys/security/ if you have >>>>>>>> your own filesystem, but I don't think that Smack has one, right? >>>>>>>> >>>>>>>> Is it going to get one? If so, we might want to revisit the idea of >>>>>>>> securityfs if no one is actually using it... >>>>>>>> >>>>>>> resending, as this looks to have been lost >>>>>>> >>>>>>> AppArmor, IMA, and TOMOYO are using securityfs currently. >>>>>> Great, then it will not go anywhere. >>>>> Just to get an idea how all this fits together. How can TPM bios and >>>>> IMA/AppArmor share this directory? They have their own subdirs in >>>>> there, or both just use the securityfs infrastructure and not their >>>>> own filesystem on top? >>>> Only one security module is allowed to be loaded/active at any one point >>>> in time, so they can't step on each other. >>> Right, but what I don't understand is CONFIG_TCG_TPM, which seem to >>> use securityfs, and is not a LSM. This and AppArmor/IMA can be used at >>> the same time, can't it? They share securityfs then? >>> >> AppArmor, Tomoyo and IMA all create their own subdirectoy under securityfs >> so this should not be a problem > I guess the question is, should SELinux try to move to /sys/fs/selinux > or /sys/security/selinux. The only minor issue I see with the later > is that it requires both sysfs and securityfs to be mounted before you > can mount selinuxfs, whereas the first only requires sysfs. Stephen, > Casey, either of you have thoughts on the matter?
I would prefer /sys/security for all LSMs, but if SELinux goes with /sys/fs Smack will likely follow on the theory that mirroring the current dominant LSM is more likely to please the masses than doing what the greatest number of LSMs are doing. _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
