On Tue, Aug 18, 2020 at 9:37 AM Stephen Smalley <stephen.smalley.work@xxxxxxxxx> wrote: > > I did a re-base of the working-selinuxns branch on top of latest next; > this required manual conflict fixes due to the encapsulation of the > policy state and refactoring of policy reload. The rebase can be > found at: > https://github.com/stephensmalley/selinux-kernel/tree/working-selinuxns-rebase > > It boots, passes the selinux-testsuite, and passes the following > trivial exercising of the unshare mechanism: > $ sudo bash > # echo 1 > /sys/fs/selinux/unshare > # unshare -m -n > # umount /sys/fs/selinux > # mount -t selinuxfs none /sys/fs/selinux > # id > uid=0(root) gid=0(root) groups=0(root) context=kernel > # getenforce > Permissive > # load_policy > # id > uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:kernel_t:s0 > > All the same caveats apply - this is still not safe to use and has > many unresolved issues as noted in the patch descriptions. Thanks Stephen, do you mind if I pull that into the working-selinuxns branch in the main SELinux repo? -- paul moore www.paul-moore.com
