* [PATCH] Documentation,selinux: fix references to old selinuxfs mount point
@ 2020-01-07 16:35 Stephen Smalley
2020-01-07 18:00 ` Paul Moore
0 siblings, 1 reply; 4+ messages in thread
From: Stephen Smalley @ 2020-01-07 16:35 UTC (permalink / raw)
To: paul; +Cc: selinux, omosnace, corbet, linux-doc, Stephen Smalley
selinuxfs was originally mounted on /selinux, and various docs and
kconfig help texts referred to nodes under it. In Linux 3.0,
/sys/fs/selinux was introduced as the preferred mount point for selinuxfs.
Fix all the old references to /selinux/ to /sys/fs/selinux/.
While we are there, update the description of the selinux boot parameter
to reflect the fact that the default value is always 1 since
commit be6ec88f41ba94 ("selinux: Remove SECURITY_SELINUX_BOOTPARAM_VALUE")
and drop discussion of runtime disable since it is deprecated.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
Documentation/admin-guide/kernel-parameters.txt | 9 ++++-----
security/selinux/Kconfig | 7 ++++---
2 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
index ade4e6ec23e0..eed51293d6cf 100644
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -511,7 +511,7 @@
1 -- check protection requested by application.
Default value is set via a kernel config option.
Value can be changed at runtime via
- /selinux/checkreqprot.
+ /sys/fs/selinux/checkreqprot.
cio_ignore= [S390]
See Documentation/s390/common_io.rst for details.
@@ -1245,7 +1245,8 @@
0 -- permissive (log only, no denials).
1 -- enforcing (deny and log).
Default value is 0.
- Value can be changed at runtime via /selinux/enforce.
+ Value can be changed at runtime via
+ /sys/fs/selinux/enforce.
erst_disable [ACPI]
Disable Error Record Serialization Table (ERST)
@@ -4348,9 +4349,7 @@
See security/selinux/Kconfig help text.
0 -- disable.
1 -- enable.
- Default value is set via kernel config option.
- If enabled at boot time, /selinux/disable can be used
- later to disable prior to initial policy load.
+ Default value is 1.
apparmor= [APPARMOR] Disable or enable AppArmor at boot time
Format: { "0" | "1" }
diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig
index 580ac24c7aa1..1014cb0ee956 100644
--- a/security/selinux/Kconfig
+++ b/security/selinux/Kconfig
@@ -58,7 +58,8 @@ config SECURITY_SELINUX_DEVELOP
kernel will start in permissive mode (log everything, deny nothing)
unless you specify enforcing=1 on the kernel command line. You
can interactively toggle the kernel between enforcing mode and
- permissive mode (if permitted by the policy) via /selinux/enforce.
+ permissive mode (if permitted by the policy) via
+ /sys/fs/selinux/enforce.
config SECURITY_SELINUX_AVC_STATS
bool "NSA SELinux AVC Statistics"
@@ -66,7 +67,7 @@ config SECURITY_SELINUX_AVC_STATS
default y
help
This option collects access vector cache statistics to
- /selinux/avc/cache_stats, which may be monitored via
+ /sys/fs/selinux/avc/cache_stats, which may be monitored via
tools such as avcstat.
config SECURITY_SELINUX_CHECKREQPROT_VALUE
@@ -85,7 +86,7 @@ config SECURITY_SELINUX_CHECKREQPROT_VALUE
default to checking the protection requested by the application.
The checkreqprot flag may be changed from the default via the
'checkreqprot=' boot parameter. It may also be changed at runtime
- via /selinux/checkreqprot if authorized by policy.
+ via /sys/fs/selinux/checkreqprot if authorized by policy.
If you are unsure how to answer this question, answer 0.
--
2.24.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] Documentation,selinux: fix references to old selinuxfs mount point
2020-01-07 16:35 [PATCH] Documentation,selinux: fix references to old selinuxfs mount point Stephen Smalley
@ 2020-01-07 18:00 ` Paul Moore
0 siblings, 0 replies; 4+ messages in thread
From: Paul Moore @ 2020-01-07 18:00 UTC (permalink / raw)
To: Stephen Smalley; +Cc: selinux, omosnace, corbet, linux-doc
On Tue, Jan 7, 2020 at 11:34 AM Stephen Smalley <sds@tycho.nsa.gov> wrote:
>
> selinuxfs was originally mounted on /selinux, and various docs and
> kconfig help texts referred to nodes under it. In Linux 3.0,
> /sys/fs/selinux was introduced as the preferred mount point for selinuxfs.
> Fix all the old references to /selinux/ to /sys/fs/selinux/.
> While we are there, update the description of the selinux boot parameter
> to reflect the fact that the default value is always 1 since
> commit be6ec88f41ba94 ("selinux: Remove SECURITY_SELINUX_BOOTPARAM_VALUE")
> and drop discussion of runtime disable since it is deprecated.
>
> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
> ---
> Documentation/admin-guide/kernel-parameters.txt | 9 ++++-----
> security/selinux/Kconfig | 7 ++++---
> 2 files changed, 8 insertions(+), 8 deletions(-)
Merged into selinux/next, thanks.
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] Documentation,selinux: fix references to old selinuxfs mount point
2020-01-07 15:44 Stephen Smalley
@ 2020-01-07 16:19 ` Paul Moore
0 siblings, 0 replies; 4+ messages in thread
From: Paul Moore @ 2020-01-07 16:19 UTC (permalink / raw)
To: Stephen Smalley; +Cc: selinux, omosnace, corbet, linux-doc
On Tue, Jan 7, 2020 at 10:44 AM Stephen Smalley <sds@tycho.nsa.gov> wrote:
> selinuxfs was originally mounted on /selinux, and various docs and
> kconfig help texts referred to nodes under it. In Linux 3.0,
> /sys/fs/selinux was introduced as the preferred mount point for selinuxfs.
> Fix all the old references to /selinux/ to /sys/fs/selinux/.
>
> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
> ---
> Documentation/admin-guide/kernel-parameters.txt | 9 +++++----
> security/selinux/Kconfig | 7 ++++---
> 2 files changed, 9 insertions(+), 7 deletions(-)
...
> diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
> index ade4e6ec23e0..565d84760e48 100644
> --- a/Documentation/admin-guide/kernel-parameters.txt
> +++ b/Documentation/admin-guide/kernel-parameters.txt
> @@ -4349,8 +4350,8 @@
> 0 -- disable.
> 1 -- enable.
> Default value is set via kernel config option.
> - If enabled at boot time, /selinux/disable can be used
> - later to disable prior to initial policy load.
> + If enabled at boot time, /sys/fs/selinux/disable can
> + be used later to disable prior to initial policy load.
While we are modifying this, I would suggest adding a note about
/sys/fs/selinux/disable being deprecated, or simply remove mention of
/sys/fs/selinux/disable. The latter option is probably the better
choice.
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH] Documentation,selinux: fix references to old selinuxfs mount point
@ 2020-01-07 15:44 Stephen Smalley
2020-01-07 16:19 ` Paul Moore
0 siblings, 1 reply; 4+ messages in thread
From: Stephen Smalley @ 2020-01-07 15:44 UTC (permalink / raw)
To: paul; +Cc: selinux, omosnace, corbet, linux-doc, Stephen Smalley
selinuxfs was originally mounted on /selinux, and various docs and
kconfig help texts referred to nodes under it. In Linux 3.0,
/sys/fs/selinux was introduced as the preferred mount point for selinuxfs.
Fix all the old references to /selinux/ to /sys/fs/selinux/.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
Documentation/admin-guide/kernel-parameters.txt | 9 +++++----
security/selinux/Kconfig | 7 ++++---
2 files changed, 9 insertions(+), 7 deletions(-)
diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
index ade4e6ec23e0..565d84760e48 100644
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -511,7 +511,7 @@
1 -- check protection requested by application.
Default value is set via a kernel config option.
Value can be changed at runtime via
- /selinux/checkreqprot.
+ /sys/fs/selinux/checkreqprot.
cio_ignore= [S390]
See Documentation/s390/common_io.rst for details.
@@ -1245,7 +1245,8 @@
0 -- permissive (log only, no denials).
1 -- enforcing (deny and log).
Default value is 0.
- Value can be changed at runtime via /selinux/enforce.
+ Value can be changed at runtime via
+ /sys/fs/selinux/enforce.
erst_disable [ACPI]
Disable Error Record Serialization Table (ERST)
@@ -4349,8 +4350,8 @@
0 -- disable.
1 -- enable.
Default value is set via kernel config option.
- If enabled at boot time, /selinux/disable can be used
- later to disable prior to initial policy load.
+ If enabled at boot time, /sys/fs/selinux/disable can
+ be used later to disable prior to initial policy load.
apparmor= [APPARMOR] Disable or enable AppArmor at boot time
Format: { "0" | "1" }
diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig
index 580ac24c7aa1..1014cb0ee956 100644
--- a/security/selinux/Kconfig
+++ b/security/selinux/Kconfig
@@ -58,7 +58,8 @@ config SECURITY_SELINUX_DEVELOP
kernel will start in permissive mode (log everything, deny nothing)
unless you specify enforcing=1 on the kernel command line. You
can interactively toggle the kernel between enforcing mode and
- permissive mode (if permitted by the policy) via /selinux/enforce.
+ permissive mode (if permitted by the policy) via
+ /sys/fs/selinux/enforce.
config SECURITY_SELINUX_AVC_STATS
bool "NSA SELinux AVC Statistics"
@@ -66,7 +67,7 @@ config SECURITY_SELINUX_AVC_STATS
default y
help
This option collects access vector cache statistics to
- /selinux/avc/cache_stats, which may be monitored via
+ /sys/fs/selinux/avc/cache_stats, which may be monitored via
tools such as avcstat.
config SECURITY_SELINUX_CHECKREQPROT_VALUE
@@ -85,7 +86,7 @@ config SECURITY_SELINUX_CHECKREQPROT_VALUE
default to checking the protection requested by the application.
The checkreqprot flag may be changed from the default via the
'checkreqprot=' boot parameter. It may also be changed at runtime
- via /selinux/checkreqprot if authorized by policy.
+ via /sys/fs/selinux/checkreqprot if authorized by policy.
If you are unsure how to answer this question, answer 0.
--
2.24.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-01-07 18:00 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-01-07 16:35 [PATCH] Documentation,selinux: fix references to old selinuxfs mount point Stephen Smalley
2020-01-07 18:00 ` Paul Moore
-- strict thread matches above, loose matches on Subject: below --
2020-01-07 15:44 Stephen Smalley
2020-01-07 16:19 ` Paul Moore
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).