On Wed, Aug 9, 2023 at 4:57 AM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote:
> On Tue, Aug 8, 2023 at 6:27 PM Paul Moore <paul@xxxxxxxxxxxxxx> wrote:
> >
> > This commit reverts 5b0eea835d4e ("selinux: introduce an initial SID
> > for early boot processes") as it was found to cause problems on
> > distros with old SELinux userspace tools/libraries, specifically
> > Ubuntu 16.04.
> >
> > Hopefully we will be able to re-add this functionality at a later
> > date, but let's revert this for now to help ensure a stable and
> > backwards compatible SELinux tree.
> >
> > Link: https://lore.kernel.org/selinux/87edkseqf8.fsf@mail.lhotse
> > Signed-off-by: Paul Moore <paul@xxxxxxxxxxxxxx>
> > ---
> > security/selinux/hooks.c | 28 -------------------
> > .../selinux/include/initial_sid_to_string.h | 2 +-
> > security/selinux/include/policycap.h | 1 -
> > security/selinux/include/policycap_names.h | 1 -
> > security/selinux/include/security.h | 6 ----
> > security/selinux/ss/policydb.c | 27 ------------------
> > 6 files changed, 1 insertion(+), 64 deletions(-)
>
> I don't think I'm able to post a fix for this quickly enough, so:
>
> Acked-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx>
Merged into selinux/next.
FWIW, I really do like the idea behind this, and I'm looking forward
to a proper fix so that we can bring it back. Unfortunately the
revert is necessary so we have can have a week or two of good code in
selinux/next before the merge window.
* https://github.com/SELinuxProject/selinux-kernel/blob/main/README.md#kernel-tree-process
--
paul-moore.com
