On 29.3.2020 12.27, Dominick Grift wrote:
Topi Miettinen <toiwoton@xxxxxxxxx> writes:
Mount selinuxfs with mount flags nodev,noexec and nosuid. It's not
likely that this has any effect, but it's visually more pleasing.
will nodev interfere with this?
File: /sys/fs/selinux/null
Size: 0 Blocks: 0 IO Block: 4096 character special file
Device: 15h/21d Inode: 23 Links: 1 Device type: 1,3
Access: (0666/crw-rw-rw-) Uid: ( 0/ root) Gid: ( 0/ root)
Context: sys.id:sys.role:null.isid:s0
Access: 2020-03-28 13:04:05.578999988 +0100
Modify: 2020-03-28 13:04:05.578999988 +0100
Change: 2020-03-28 13:04:05.578999988 +0100
Birth: -
/sys/fs/selinux/null: character special (1/3)
That device does not give me joy. Yes, the patch prevents it from being
used. But I didn't see any problems in the logs, even with something
else mounted over it (adding InaccessiblePaths=/sys/fs/selinux/null to
systemd unit files). The device file was added pretty early to Linux,
perhaps it was needed then, but not anymore?
Judging from internet searches, maybe it's only used by Android. They
seem to use a forked version of libselinux anyway.
-Topi
