From: Stephen Smalley <stephen.smalley.work@gmail.com>
To: Petr Lautrbach <plautrba@redhat.com>
Cc: SElinux list <selinux@vger.kernel.org>,
Ondrej Mosnacek <omosnace@redhat.com>,
Paul Moore <paul@paul-moore.com>
Subject: Re: [RFC PATCH] selinux: runtime disable is deprecated, add some ssleep() discomfort
Date: Thu, 20 Aug 2020 12:58:31 -0400 [thread overview]
Message-ID: <33cb7940-ebd2-1ded-4f19-9c75013a8204@gmail.com> (raw)
In-Reply-To: <CAEjxPJ6Kw8i_z_i2Y0A3HcK23DMoazWUZxMtNa7ErQv_bjm=QQ@mail.gmail.com>
On 8/19/20 3:16 PM, Stephen Smalley wrote:
> On Wed, Aug 19, 2020 at 3:07 PM Stephen Smalley
> <stephen.smalley.work@gmail.com> wrote:
>> On Wed, Aug 19, 2020 at 1:15 PM Petr Lautrbach <plautrba@redhat.com> wrote:
>> There are some corner cases currently, e.g. you can't remove the
>> security.selinux xattr if SELinux is enabled currently, and there are
>> various hardcoded error cases in the SELinux hook functions that could
>> potentially occur. Beyond that there is the memory and runtime
>> overhead. Getting people to start using selinux=0 if they want to
>> disable SELinux is definitely preferable.
> We could try to eliminate those error cases by checking early for
> selinux_initialized(state) in more of the hooks and bailing
> immediately with success in that case, but we'd have to go through and
> identify where we need that.
I did a quick look through error cases in the hook functions and it
appeared that the only case where we would return an error that isn't
already protected by a selinux_initialized() test or a test of enforcing
mode is the removexattr() check. So I just posted a patch to lift that
restriction if policy hasn't been loaded. Hopefully there aren't any
other user-visible differences.
next prev parent reply other threads:[~2020-08-20 16:58 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-02 12:47 [RFC PATCH] selinux: runtime disable is deprecated, add some ssleep() discomfort Paul Moore
2020-06-02 12:49 ` Paul Moore
2020-06-04 14:49 ` Stephen Smalley
2020-06-08 21:35 ` Paul Moore
2020-06-08 22:13 ` Stephen Smalley
2020-06-08 22:56 ` William Roberts
2020-06-10 14:03 ` Stephen Smalley
2020-06-10 14:11 ` Stephen Smalley
2020-06-11 13:29 ` Ondrej Mosnacek
2020-06-12 19:28 ` Paul Moore
2020-08-19 17:14 ` Petr Lautrbach
2020-08-19 19:07 ` Stephen Smalley
2020-08-19 19:16 ` Stephen Smalley
2020-08-20 15:41 ` Casey Schaufler
2020-08-20 16:58 ` Stephen Smalley [this message]
2020-08-20 20:31 ` Petr Lautrbach
2020-09-10 11:39 ` Ondrej Mosnacek
2020-09-10 12:33 ` Stephen Smalley
2020-09-23 18:32 ` Paul Moore
2020-09-24 23:42 ` Stephen Smalley
2020-09-10 13:31 ` Stephen Smalley
2020-09-10 14:36 ` Stephen Smalley
2020-09-10 14:54 ` Stephen Smalley
2020-06-12 19:00 ` Paul Moore
2020-06-12 18:56 ` Paul Moore
2022-03-01 22:53 Paul Moore
2022-03-01 22:57 ` Paul Moore
2022-03-01 23:02 ` Casey Schaufler
2022-04-04 20:23 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=33cb7940-ebd2-1ded-4f19-9c75013a8204@gmail.com \
--to=stephen.smalley.work@gmail.com \
--cc=omosnace@redhat.com \
--cc=paul@paul-moore.com \
--cc=plautrba@redhat.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).