On 12/12/2012 10:47 AM, Eric Paris wrote: > On Wed, Dec 12, 2012 at 1:25 PM, Casey Schaufler <casey@xxxxxxxxxxxxxxxx> wrote: > >> Configure None as the presented LSM and all legacy userspace >> will fail. Trouble for all. > I think the question is when and how it fails. I'd like SELinux to > fail really early and in some clean way if it is non-present and you > don't have new userspace. I'd rather it fail on policy load than on > some later /proc/*/attr/ issue. I can do it myself even if you don't > want to do it as part of the stacking work. So the problem would be old userspace (new userspace can query /sys/kernel/security/lsm and /sys/kernel/security/present) with a kernel configured with present=apparmor. You want loading SELinux policy to fail in this case, because you know that the system isn't going to work properly. You are suggesting a kernel change that inhibits loading the SELinux policy unless userspace tells the kernel it is OK to do so if present is not selinux. I have no objection to such. You could look at CONFIG_PRESENT_SECURITY in the SELinux initialization code and set a "don't load" trigger if it isn't "selinux". Your selinuxfs (or some other) interface could allow the trigger to get unset by the updated userspace. > > My current thought is a required ioctl before policy load if > non-present otherwise reject policy load instead of the entirely new > policy load file. > > -Eric > > -- > This message was distributed to subscribers of the selinux mailing list. > If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with > the words "unsubscribe selinux" without quotes as the message. > -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
