On Mon, 2011-05-02 at 19:29 +0200, Lennart Poettering wrote: > On Mon, 02.05.11 12:09, David Quigley (selinux@xxxxxxxxxxxxxxx) wrote: > > > Merging the kernel patch without doing the > > legwork for userspace first is a very bad idea. The kernel is what > > mounts the FS under /selinux so if you have it mount under > > /sys/fs/selinux instead without coordinating with the required usespace > > changes you'll have a completely broken system. I'd say let Dan handle > > when the right time to merge the kernel patch is since both him and the > > tresys people will have to be involved with releasing new versions of > > libselinux . Also Dan will have to work with some of the package > > maintainers to cleanup and fix their packages as well. I'd really not > > like it if I can't test new kernels with my labeled-nfs patches because > > we merged an ABI breaking change into mainline without making sure > > people can handle it first. > > No, userspace mounts the fs to /selinux. > > If the kernel patch is merged (and it will, given that Dan okey'd it) > this wil just create an empty directory in /sys/fs/selinux suitable as > mount point. That's all. Whether this is actually used as mount point is > left to userspace. > > Merging the kernel patch is pretty much risk-less. The transition to it > can happen at a later point, slowly, at a pace defined by Dan. Yes, agreed. This does require updating various scripts that directly reference /selinux though, including anaconda, dracut, puppet, etc. I'm guessing that some of these direct references are due to scripts that need to be able to run before /usr is mounted, so if we moved the libselinux utils to /bin or /sbin, then the scripts could execute selinuxenabled, getenforce, and setenforce without concern. -- Stephen Smalley National Security Agency -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
