On Thu, Oct 8, 2020 at 3:50 PM Olga Kornievskaia <aglo@xxxxxxxxx> wrote: > On Wed, Oct 7, 2020 at 9:07 PM Paul Moore <paul@xxxxxxxxxxxxxx> wrote: > > > > On Wed, Oct 7, 2020 at 8:41 PM Olga Kornievskaia <aglo@xxxxxxxxx> wrote: > > > Hi folks, > > > > > > From some linux kernel module, is it possible to query and find out > > > whether or not selinux is currently enabled or not? > > > > > > Thank you. > > > > [NOTE: CC'ing the SELinux list as it's probably a bit more relevant > > that the LSM list] > > > > In general most parts of the kernel shouldn't need to worry about what > > LSMs are active and/or enabled; the simply interact with the LSM(s) > > via the interfaces defined in include/linux/security.h (there are some > > helpful comments in include/linux/lsm_hooks.h). Can you elaborate a > > bit more on what you are trying to accomplish? > > Hi Paul, > > Thank you for the response. What I'm trying to accomplish is the > following. Within a file system (NFS), typically any queries for > security labels are triggered by the SElinux (or I guess an LSM in > general) (thru the xattr_handler hooks). However, when the VFS is > calling to get directory entries NFS will always get the labels > (baring server not supporting it). However this is useless and affects > performance (ie., this makes servers do extra work and adds to the > network traffic) when selinux is disabled. It would be useful if NFS > can check if there is anything that requires those labels, if SElinux > is enabled or disabled. Isn't this already accomplished by the security_ismaclabel() checks that NFS is already doing? -- Ondrej Mosnacek Software Engineer, Platform Security - SELinux kernel Red Hat, Inc.
