On Wed, Aug 19, 2020 at 9:28 PM Paul Moore <paul@xxxxxxxxxxxxxx> wrote: > > On Tue, Aug 18, 2020 at 9:37 AM Stephen Smalley > <stephen.smalley.work@xxxxxxxxx> wrote: > > > > I did a re-base of the working-selinuxns branch on top of latest next; > > this required manual conflict fixes due to the encapsulation of the > > policy state and refactoring of policy reload. The rebase can be > > found at: > > https://github.com/stephensmalley/selinux-kernel/tree/working-selinuxns-rebase > > > > It boots, passes the selinux-testsuite, and passes the following > > trivial exercising of the unshare mechanism: > > $ sudo bash > > # echo 1 > /sys/fs/selinux/unshare > > # unshare -m -n > > # umount /sys/fs/selinux > > # mount -t selinuxfs none /sys/fs/selinux > > # id > > uid=0(root) gid=0(root) groups=0(root) context=kernel > > # getenforce > > Permissive > > # load_policy > > # id > > uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:kernel_t:s0 > > > > All the same caveats apply - this is still not safe to use and has > > many unresolved issues as noted in the patch descriptions. > > Thanks Stephen, do you mind if I pull that into the working-selinuxns > branch in the main SELinux repo? Unfortunately I need to re-base it again and manually fix conflicts with my patch to avoid deferencing the policy prior to initialization. And I'll need to do it again when/if the patch to convert the policy rwlock to rcu lands. So you might want to wait. I'm starting to wonder if the first patch in the series to rename selinux_state/state to selinux_ns/ns throughout is a mistake because it produces a lot of unnecessary conflicts. Originally I did it because that was the original naming since the encapsulation started to support namespacing and then I did a mass rename to selinux_state/state for upstreaming since I wasn't yet upstreaming the actual namespace support. Renaming it back again reduces conflicts in the later patches but makes the first one a pain. But if I just do a mass rename on all the later patches then I can drop the first one and avoid these unnecessary conflicts. Thoughts?
