Re: [PATCH] SELinux: Measure state and hash of policy using IMA

From: Stephen Smalley
Date: Wed Aug 26 2020 - 08:51:58 EST


On Tue, Aug 25, 2020 at 4:49 PM Lakshmi Ramasubramanian
<nramas@xxxxxxxxxxxxxxxxxxx> wrote:
>
> On 8/24/20 3:18 PM, Paul Moore wrote:
>
> Hi Paul,
>
> >>>>> Is Ondrej's re-try approach I need to use to workaround policy reload issue?
> >>>>
> >>>> No, I think perhaps we should move the mutex to selinux_state instead
> >>>> of selinux_fs_info. selinux_fs_info has a pointer to selinux_state so
> >>>> it can then use it indirectly. Note that your patches are going to
> >>>> conflict with other ongoing work in the selinux next branch that is
> >>>> refactoring policy load and converting the policy rwlock to RCU.
> >>>
> >>> Yeah, and I'm experimenting with a patch on top of Stephen's RCU work
> >>> that would allow you to do this in a straightforward way without even
> >>> messing with the fsi->mutex. My patch may or may not be eventually
> >>> committed, but either way I'd recommend holding off on this for a
> >>> while until the dust settles around the RCU conversion.
> >>
> >> I can make the SELinux\IMA changes in "selinux next branch" taking
> >> dependencies on Stephen's patches + relevant IMA patches.
> >
> > I know it can be frustrating to hear what I'm about to say, but the
> > best option is probably just to wait a little to let things settle in
> > the SELinux -next branch. There is a lot of stuff going on right now
> > with patches flooding in (at least "flooding" from a SELinux kernel
> > development perspective) and we/I've haven't gotten through all of
> > them yet.
> >
>
> Could you please let me know when the current set of changes in SELinux
> next branch would be completed and be ready to take new changes?
>
> I mean, roughly - would it be a month from now or you expect that to
> take longer?

I can't speak for Paul but I would expect it to be sooner rather than
later. Ondrej has some follow ups on top of my policy rcu conversion
but then it should be good to go.