Dan Walsh's Blog

Got SELinux?

Previous Entry Share Next Entry
Fedora 16 is about to go to Alpha release, some SELinux changes.
First with the move to systemd, we were asked to move the /selinux file system to a more standard location.

From this point forward the selinuxfs will be mounted under /sys/fs/selinux.

This seems to be the new location for kernel interface file systems, like cgroup

# ls /sys/fs/
cgroup    ext4  fuse  selinux

libselinux has been modified to mount the selinuxfs file system on the /sys/fs/selinux directory if it exists, otherwise libselinux will fall back to mounting on the /selinux directory if it exists.

One problem I foresee and we are beginning to fix is any application that hard coded "/selinux" in to the application.  So far we have had to fix anaconda, livecd-tools, policycoreutils, and dracut.  In most cases you should use the command line tools like setenforce or selinuxenabeled, or use the python bindings

>>> import selinux
>>> print (selinux.is_selinux_enabled())

And not hard code the path.

Another option is to grep /proc/self/mountinfo

# grep selinuxfs /proc/self/mountinfo  | head -1 | awk '{ print $5 }'

If you know of any applications that hard code /selinux into them, please let me know and I can work with the maintainer or developer to fix the code.

The sentence starting "libselinux has been modified" makes sense if you replace "/proc/fs/selinux" with "directory". Is that what you intended? (That's certainly what seems to have been checked in.)

Thanks, I modified the post to be clearer.

Clearer but wrong? I'm sure the code has /sys/fs/selinux falling back to /selinux rather than /proc/fs/selinux. Am I mistaken?

I guess my blog should be a wiki. thanks.


Log in