[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <1170101253.3294.6.camel@moss-spartans.epoch.ncsc.mil>
Date: Mon, 29 Jan 2007 15:07:33 -0500
From: Stephen Smalley <sds@...ho.nsa.gov>
To: casey@...aufler-ca.com
Cc: "Eric W. Biederman" <ebiederm@...ssion.com>,
Andrew Morton <akpm@...l.org>, Ingo Molnar <mingo@...e.hu>,
tglx@...utronix.de, linux-kernel@...r.kernel.org,
selinux@...ho.nsa.gov, jmorris@...ei.org
Subject: Re: [PATCH] sysctl selinux: Don't look at table->de
On Mon, 2007-01-29 at 11:08 -0800, Casey Schaufler wrote:
> --- Stephen Smalley <sds@...ho.nsa.gov> wrote:
>
> > True, but a system that disables proc is likely a
> > system with a custom
> > policy anyway, and dependency on proc is fairly
> > basic to selinux these
> > days (due to reliance on /proc/self/attr for process
> > attribute
> > manipulation in place of the old selinux syscalls).
> > Possibly we should
> > just make selinux depend on proc and drop the #ifdef
> > there.
>
> Alternativly you could move the SELinux specific
> bits out of /proc/self/attr into an equivalent
> /selinux/self/attr and avoid that /proc dependency.
We could, but I don't see any compelling reason to do so. We were
specifically told to use proc for the selinux process attributes when we
refactored the selinux api for 2.6 inclusion, as they are per-process
state and fit naturally into proc.
--
Stephen Smalley
National Security Agency
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists