From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754429AbdDLObY (ORCPT ); Wed, 12 Apr 2017 10:31:24 -0400 Received: from emsm-gh1-uea10.nsa.gov ([8.44.101.8]:28846 "EHLO emsm-gh1-uea10.nsa.gov" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752497AbdDLObW (ORCPT ); Wed, 12 Apr 2017 10:31:22 -0400 X-IronPort-AV: E=Sophos;i="5.37,191,1488844800"; d="scan'208";a="5877031" IronPort-PHdr: =?us-ascii?q?9a23=3ArGTGBhfDM7EB+rfR0zBKMTNTlGMj4u6mDksu8pMi?= =?us-ascii?q?zoh2WeGdxc24bBCN2/xhgRfzUJnB7Loc0qyN4v6mADJLvsrJmUtBWaQEbwUCh8?= =?us-ascii?q?QSkl5oK+++Imq/EsTXaTcnFt9JTl5v8iLzG0FUHMHjew+a+SXqvnYdFRrlKAV6?= =?us-ascii?q?OPn+FJLMgMSrzeCy/IDYbxlViDanb75/KBS7oR/MusQXjodvKKk8wQbVr3VVfO?= =?us-ascii?q?hb2XlmLk+JkRbm4cew8p9j8yBOtP8k6sVNT6b0cbkmQLJBFDgpPHw768PttRnY?= =?us-ascii?q?UAuA/WAcXXkMkhpJGAfK8hf3VYrsvyTgt+p93C6aPdDqTb0xRD+v4btnRAPuhS?= =?us-ascii?q?waLDMy7n3ZhdJsg6JauBKhpgJww4jIYIGOKfFyerrRcc4GSWZdW8pcUSJOApm4?= =?us-ascii?q?b4ASEeQPO+hWpJT5q1cXsBeyGQygCeXywTFKm3D2x7U33ec8Hw/GwgIuEdABsH?= =?us-ascii?q?rTrNrpM6kdXu+7wbLUzTjAdf5axS3w5JTKfx0nvPqCXahwcc3UyUQ3Cg3Fkkuf?= =?us-ascii?q?qZTlPzyL0OQGrnWV7+96WuKrj24otQFwqSWoy8c3l4bJnZkYykzE9CplwIY1Is?= =?us-ascii?q?e0SEhgYdG+CpdQuCaaN5VvT84kXmpmtiE6yrgctp66eigH0Jomxx7FZPyCb4eI?= =?us-ascii?q?5hXjVPuMLjtimH1lf7e/ihCv+kaj0u3xTtS43VlFoyZfktTAq2oB2wLc58SZUP?= =?us-ascii?q?dx40Gs0iuV2Q/J8OFLO0U0mLLeK54m37E/iIIesV/GHi/qgEX2i7KWdlk89uio?= =?us-ascii?q?9evnZrLmq4eAN4BukAH+M7kumtelDeQkMgkBQ2ib+eOm2L3l4UL5W6lFguczkq?= =?us-ascii?q?nYtJDWPcUbpqinDA9Jyosv9hmyAji83NkYgHULNkxJdR2Zg4TzJl3COPX4Au2+?= =?us-ascii?q?g1Sonjdr3ffGPrj5D5XWM3fDi6zsfap96kFAyAozyspT55RPCr4bOv7zVUjxtM?= =?us-ascii?q?LAAh8jLwO02/rnCMl61o4GW2KAGKqZP73JsVOS4uIjOeyMZIgPuDbnKvgl/OXj?= =?us-ascii?q?jXgjmVAHYaap2YUYZGqkEfRhJkWTeWDsjcsZEWcWogo+S/TniEaZXj5OZnayRL?= =?us-ascii?q?k85jY9CI+9EIjMW4atjKad0ye8G51cfnpGBUyUEXf0a4WEXO8BaCaTIs9njzwF?= =?us-ascii?q?WqGtS5Q/2h6yqQ/60btnLvbU+yEBsJLj08V65/DXlR4s7jF0Ecud3H+XT21unW?= =?us-ascii?q?MHWSU23KZhrkx50FuD1rJ4g/NAH9xJ+/xJShs6NYLbz+FiD9DyWwTBfsqGSVq/?= =?us-ascii?q?QdWpHysxTtQvzN8KeEt9BdqigQ7Z3yawAL8aiaaLBJoq/aLYxXTxINx9y3ne3q?= =?us-ascii?q?k7k1YmWtdPNXGhhqNn+QnTBorJk0GYl6mwcKQQxjLC+H2ZzWqJp05XThRwUbne?= =?us-ascii?q?XX0EZ0vWq8j56V3GT7O0FbsnNQ5Bw9aYKqRWct3pkUlGRPD7NdTGZmKxnGCwBQ?= =?us-ascii?q?yWyb6XdorlZXgS3CXHB0gYiQwc4XGGNQ0mDCe7v23eFCBuFU7oY0706ulxs267?= =?us-ascii?q?Tk4vzwGRaE1h0aC59QMIivyaUP4T0bcEtz0gqzVwBlqyw9XWC9/T7zZmKZ5Ra9?= =?us-ascii?q?om/FZK0yrzqg1mJZumZ/R5jEMfaB9wuQXi2xNfBYBJkMxsp3Qvmk46EauF1Btk?= =?us-ascii?q?cDSC0NikIrjQLXP/1AqiZ67fxhfV19PAqYkV7/FtkEnupAGkEAIZ9nxj19REmy?= =?us-ascii?q?+H6o7iEBsZUZW3VF0+sRd9ueeJMWEG+4rI2Cg0YuGPuTjY1odsXbJ9xw=3D=3D?= X-IPAS-Result: =?us-ascii?q?A2HDAgDZOO5Y/wHyM5BcGgEBAQECAQEBAQgBAQEBFgEBAQM?= =?us-ascii?q?BAQEJAQEBgn8pYYELg2aaNQEBAQEBAQaBI5B9hmsohXwCg3lXAQEBAQEBAQECA?= =?us-ascii?q?QJoKIIzIgGBKSwISAEBGQEFIw8BRhALDQEKAgImAgJXBgESiAWCBA0OqEqCJiY?= =?us-ascii?q?CilEBAQEBAQEBAQIBAQEBAQEBARsFgQuFAIU6h1yCXwWPcY0ZhwKLX4F/iH8Mh?= =?us-ascii?q?jpIkzpYgQUcCQIUCB4PhzckNYkiAQEB?= Message-ID: <1492007701.3881.10.camel@tycho.nsa.gov> Subject: Re: [PATCH] selinux: add selinux_is_enforced() function From: Stephen Smalley To: Sebastien Buisson , Paul Moore Cc: selinux@tycho.nsa.gov, william.c.roberts@intel.com, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, Sebastien Buisson , james.l.morris@oracle.com Date: Wed, 12 Apr 2017 10:35:01 -0400 In-Reply-To: References: <1491988018-4120-1-git-send-email-sbuisson@ddn.com> Organization: National Security Agency Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.22.6 (3.22.6-2.fc25) Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, 2017-04-12 at 15:30 +0200, Sebastien Buisson wrote: > 2017-04-12 13:55 GMT+02:00 Paul Moore : > > As currently written this code isn't something we would want to > > merge > > upstream for two important reasons: > > > > * No clear user of this functionality.  There needs to be a well > > defined user of this functionality in the kernel. > > The use case for this new functionality (and the other one) is > getting > SELinux information from the Lustre client code in kernel space. > Latest patch can be accessed at: > https://review.whamcloud.com/24421 > Actual user is sptlrpc_get_sepol() function in > lustre/lustre/ptlrpc/sec.c file. > This code will be pushed to the upstream kernel as soon as it is > landed into Lustre master branch. How are you using this SELinux information in the kernel and/or in userspace? What's the purpose of it? What are you comparing it against? Why do you care if it changes? Note btw that the notion of a policy name/type and the policy file path is purely a userspace construct and shouldn't be embedded in your kernel code. Android for example doesn't follow that convention at all; their SELinux policy file is simply /sepolicy. On modern kernels, you can always read the currently loaded policy from the kernel itself via /sys/fs/selinux/policy (formerly just /selinux/policy).