On Wed, Dec 12, 2012 at 12:31 PM, Casey Schaufler <casey@xxxxxxxxxxxxxxxx> wrote: > We can't undo the sins of the past regarding /proc/.../attr. Agreed > With > the scheme I'm putting forth you can have a working system with both > SELinux and AppArmor if either runtime understands the multiple LSM > environment. Agreed. (assuming the command line option was configured to present the one that doesn't understand) > If neither understands, at least one will have trouble. Agreed. I'm just of the belief the 'trouble' should be 'fails completely' rather than 'fails partially' trying to use /proc/self/attr... > On a slightly different note, do we need a liblsm with interfaces like: > > int lsm_presented(char *presented) > int lsm_supported(char *lsmname) > > so you're not reading the files directly? If I have new enough userspace to call such functions, do I need them? Doesn't seem I need presented. I can always use the selinux.* version of attr files. Maybe lsm_supported is slightly useful. We don't have to parse /proc/filesystems looking for selinuxfs. I guess that'd be faster, but I don't know if others would use it... -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
