cycles, the kernel below should both have the
clone/iif fix (it's in Linus' tree now) as well as some printks when errors
occur so packet's are no longer silently dropped by SELinux.
* git://git.infradead.org/users/pcmoore/lblnet-2.6_testing
--
paul moore
linux security @ hp
--
To unsubscribe
=02f1c89d6e36507476f78108a3dcc78538be460b
--
paul moore
linux security @ hp
--
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http
On Monday 14 January 2008 6:04:28 pm [EMAIL PROTECTED] wrote:
On Mon, 14 Jan 2008 14:07:46 EST, Paul Moore said:
http://git.infradead.org/?p=users/pcmoore/lblnet-2.6_testing;a=commitdiff
;h=02f1c89d6e36507476f78108a3dcc78538be460b
Initial testing indicates that 2.6.24-rc6-mm1 plus this one
no_packet;
Two things. First you can probably just call kfree_skb() instead of
skb_free_datagram(). Second, why not move the 'no_peek' code to just
before 'no_packet'?
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message
On Friday 16 November 2007 10:45:32 pm Tetsuo Handa wrote:
Paul Moore wrote:
I might be missing something here, but why do you need to do a skb_peek()
again? You already have the skb and the sock, just do the unlink.
The skb might be already dequeued by other thread while I slept inside
On Saturday 17 November 2007 11:00:20 pm Tetsuo Handa wrote:
Hello.
Hello.
Paul Moore wrote:
Okay, well if that is the case I think you are going to have another
problem in that you could end up throwing away skbs that haven't been
through your security_post_recv_datagram() hook because
On Monday 19 November 2007 9:29:52 am Tetsuo Handa wrote:
Paul Moore wrote:
If that is the case then the second call to
skb_peek() will return a different skb then the one you passed to
security_post_recv_datagram().
Yes. The second call to skb_peek() might return a different skb than
On Monday 17 December 2007 2:40:35 pm Joe Perches wrote:
Signed-off-by: Joe Perches [EMAIL PROTECTED]
Thanks Joe.
Acked-by: Paul Moore [EMAIL PROTECTED]
---
net/netlabel/netlabel_mgmt.c |2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/net/netlabel/netlabel_mgmt.c
in the
selinux_xfrm_enabled() is called from security/selinux/hooks.c, depends on
the extern atomic_tselinux_xfrm_refcount.
The problem appears to be that the selinux_xfrm_refcount functionality is not
properly protected by CONFIG_SECURITY_NETWORK_XFRM. I'm fixing that now.
--
paul moore
linux security @ hp
On Tuesday 20 November 2007 3:48:44 pm Paul Moore wrote:
On Tuesday 20 November 2007 3:34:24 pm Kamalesh Babulal wrote:
Hi Andrew,
The kernel build fails, in selinux with following error
CHK include/linux/compile.h
UPD include/linux/compile.h
CC init/version.o
untrained eye it
looks like __netdev_alloc_skb() should be setting skb-iif (like it does for
skb-dev) but it currently doesn't.
Am I barking up the wrong tree here?
. paul moore
. linux security @ hp
-Original Message-
From: James Morris [EMAIL PROTECTED]
Date: Wednesday, Dec 26, 2007 7
On Wednesday 26 December 2007 4:52:03 pm James Morris wrote:
On Thu, 26 Dec 2007, Paul Moore wrote:
As James said I'm away right now and computer access is limited.
However, I'm stuck in the airport right now and spent some time looking
at the code ... Based on what has been found so far I
On Wednesday 26 December 2007 4:52:03 pm James Morris wrote:
On Thu, 26 Dec 2007, Paul Moore wrote:
As James said I'm away right now and computer access is limited.
However, I'm stuck in the airport right now and spent some time looking
at the code ... Based on what has been found so far I
On Monday 31 December 2007 12:13:32 pm Paul Moore wrote:
On Wednesday 26 December 2007 4:52:03 pm James Morris wrote:
On Thu, 26 Dec 2007, Paul Moore wrote:
As James said I'm away right now and computer access is limited.
However, I'm stuck in the airport right now and spent some time
On Monday 31 December 2007 4:46:09 pm James Morris wrote:
On Mon, 31 Dec 2007, Paul Moore wrote:
I'm pretty certain this is an uninitialized value problem now and not a
use-after-free issue. The invalid/garbage -iif value seems to only
happen on packets that are generated locally and sent
';
- rc = smack_netlabel(sk);
+ smack_netlabel(sk);
Once more, but with feeling.
}
/**
--
paul moore
linux security @ hp
--
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http
On Wednesday 13 February 2008 4:29:40 pm Adrian Bunk wrote:
This patch makes the needlessly global secmark_tg_destroy() static.
Signed-off-by: Adrian Bunk [EMAIL PROTECTED]
Thanks for catching this.
Acked-by: Paul Moore [EMAIL PROTECTED]
---
df66d8d74309b41298ae011532fd284aad3ed2ba
diff
with syscall arguments
* Documentation corrections
* Support for C++ in the header file
Finally, thank you to everyone who has submitted suggestions, provided testing
help, and contributed patches to the project.
--
paul moore
security and virtualization @ redhat
--
To unsubscribe from this list
be able to elsewhere and
I consider that a win.
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http
On Sunday 30 September 2007 4:16:18 am Andrew Morton wrote:
- hm, netlabels. Who might be a suitable person to review that code?
Seems that Paul Moore is the man. Maybe he'd be interested in taking a
look over it (please?)
Yep, I've been tracking Casey's work on this since the first
,
and other tasks. Smack is a kernel based scheme that requires
an absolute minimum of application support and a very small
amount of configuration data.
{snip}
This patch includes changes made by Paul Moore [EMAIL PROTECTED]
in support of a more comfortable interface to initialize the
CIPSO code
On Monday 03 September 2007 9:15:27 am Tetsuo Handa wrote:
Hello.
Hi.
Paul Moore wrote:
I apologize for not recognizing your approach from our earlier discussion
on the LSM mailing list in July. Unfortunately, I have the same
objections to these changes that I did back then and from
network design.
[1]http://www.netfilter.org/projects/libnetfilter_queue/index.html
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
-accept() failed.
I think socket_post_accept() should be able to fail.
From my experience the community disapproves of approaches which go through
the entire TCP handshake and then terminate the connection, which is what
allowing security_socket_post_accept() to fail would do.
--
paul
attempts.
Please take a look at the existing LSM stream connection request hooks as
well as how SELinux makes use of them.
* post_recv_datagram is added in skb_recv_datagram.
Can you explain to me why this is not possible using the existing
security_socket_sock_rcv_skb() LSM hook?
--
paul
On Tuesday, August 28 2007 6:39:13 am Tetsuo Handa wrote:
Hello.
Hello.
Paul Moore wrote:
* post_recv_datagram is added in skb_recv_datagram.
Can you explain to me why this is not possible using the existing
security_socket_sock_rcv_skb() LSM hook?
socket_sock_rcv_skb() is a hook
On Tuesday, August 28 2007 2:46:19 am Joe Perches wrote:
On Tue, 2007-08-28 at 00:01 +, Linux Kernel Mailing List wrote:
+NETWORKING [LABELED] (NetLabel, CIPSO, Labeled IPsec, SECMARK)
+P: Paul Moore
+M: [EMAIL PROTECTED]
+L: [EMAIL PROTECTED]
+S: Maintained
+
Aren't there now 2
On Tuesday, August 28 2007 12:45:50 pm Joe Perches wrote:
On Tue, 2007-08-28 at 08:46 -0400, Paul Moore wrote:
If having both a labeled networking and NetLabel maintainer entry is a
problem then how about the patch below?
I don't think it is.
-NETWORKING [LABELED] (NetLabel, CIPSO
options/labels.
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
On Monday, March 25, 2013 04:55:17 PM Paul Moore wrote:
On Friday, March 15, 2013 03:18:12 PM H.J. Lu wrote:
On Fri, Mar 15, 2013 at 2:56 PM, H. Peter Anvin h...@zytor.com wrote:
On 03/15/2013 02:15 PM, Paul Moore wrote:
On Tuesday, February 26, 2013 03:58:23 PM Paul Moore wrote
On Tuesday, February 26, 2013 03:58:23 PM Paul Moore wrote:
On Friday, February 15, 2013 12:21:43 PM Paul Moore wrote:
Commit fca460f95e928bae373daa8295877b6905bc62b8 simplified the x32
implementation by creating a syscall bitmask, equal to 0x4000, that
could be applied to x32 syscalls
On Friday, March 15, 2013 03:18:12 PM H.J. Lu wrote:
On Fri, Mar 15, 2013 at 2:56 PM, H. Peter Anvin h...@zytor.com wrote:
On 03/15/2013 02:15 PM, Paul Moore wrote:
On Tuesday, February 26, 2013 03:58:23 PM Paul Moore wrote:
On Friday, February 15, 2013 12:21:43 PM Paul Moore wrote
`netlbl_cipsov4_add_std':
netlabel_cipso_v4.c:(.text+0x68535): undefined reference to
`cipso_v4_doi_add' netlabel_cipso_v4.c:(.text+0x68575): undefined reference
to `cipso_v4_doi_free'
Full randconfig file is attached.
--
paul moore
www.paul-moore.com
--
To unsubscribe from this list: send
On Friday, November 30, 2012 10:19:16 AM Paul Moore wrote:
On Thursday, November 29, 2012 04:05:26 PM Randy Dunlap wrote:
On 11/28/2012 10:40 PM, Stephen Rothwell wrote:
Hi all,
Changes since 20121128:
(on i386:)
If I had to guess it looks like CONFIG_NETLABEL needs
@@ -1,5 +1,6 @@
config SECURITY_SMACK
bool Simplified Mandatory Access Control Kernel Support
+ depends on INET
depends on NET
depends on SECURITY
select NETLABEL
--
--
paul moore
www.paul-moore.com
--
To unsubscribe from this list: send the line
On Friday, February 15, 2013 12:21:43 PM Paul Moore wrote:
Commit fca460f95e928bae373daa8295877b6905bc62b8 simplified the x32
implementation by creating a syscall bitmask, equal to 0x4000, that
could be applied to x32 syscalls such that the masked syscall number
would be the same
suggestions, provided testing
help, and contributed patches to the project.
--
paul moore
security and virtualization @ redhat
--
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to majord...@vger.kernel.org
More majordomo info at http
functionality on
x32.
I've tested this patch with the seccomp BPF filters as well as ftrace
and everything looks reasonable to me; needless to say general usage
seemed fine as well.
Signed-off-by: Paul Moore pmo...@redhat.com
Cc: sta...@vger.kernel.org
Cc: Will Drewry w...@chromium.org
Cc: H. Peter
On Friday, February 15, 2013 11:02:49 AM H. Peter Anvin wrote:
On 02/15/2013 09:21 AM, Paul Moore wrote:
Commit fca460f95e928bae373daa8295877b6905bc62b8 simplified the x32
implementation by creating a syscall bitmask, equal to 0x4000, that
could be applied to x32 syscalls
example
you could send?
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
and send it out.
Once again, sorry for the regression.
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ
promise to do so as soon as I am
able.
. paul moore
. linux security @ hp
-
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org
, and contributed patches to the project.
--
paul moore
security and virtualization @ redhat
--
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ
different traces below. Config attached.
--
paul moore
www.paul-moore.com
--
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http
On Tue, Aug 7, 2012 at 5:58 PM, John Stultz john.stu...@linaro.org wrote:
On 08/07/2012 02:50 PM, Paul Moore wrote:
On Tue, Aug 7, 2012 at 2:12 PM, John Stultz john.stu...@linaro.org
wrote:
Hi,
With my kvm environment using 3.6-rc1+, I'm seeing NULL pointer
dereferences
On Tuesday, August 07, 2012 10:17:32 PM Serge E. Hallyn wrote:
Quoting Paul Moore (p...@paul-moore.com):
On Tue, Aug 7, 2012 at 5:58 PM, John Stultz john.stu...@linaro.org
wrote:
On 08/07/2012 02:50 PM, Paul Moore wrote:
On Tue, Aug 7, 2012 at 2:12 PM, John Stultz john.stu...@linaro.org
the LSM data properly initialized.
I'll put together a patch shortly.
--
paul moore
www.paul-moore.com
--
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
On Wednesday, August 08, 2012 09:38:21 PM Eric Dumazet wrote:
On Wed, 2012-08-08 at 15:26 -0400, Paul Moore wrote:
On Wednesday, August 08, 2012 12:14:42 PM John Stultz wrote:
So I bisected this down and it seems to be the following commit:
commit
.
--
paul moore
www.paul-moore.com
--
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
)
+ return 0;
+
ssp = kzalloc(sizeof(struct socket_smack), gfp_flags);
if (ssp == NULL)
return -ENOMEM;
In the case of Smack, when the kernel boolean is true I think the right
solution is to use smack_net_ambient.
--
paul moore
www.paul-moore.com
On Wednesday, August 08, 2012 04:51:56 PM Eric Paris wrote:
On Wed, Aug 8, 2012 at 4:35 PM, Paul Moore p...@paul-moore.com wrote:
On Wednesday, August 08, 2012 10:09:38 PM Eric Dumazet wrote:
Actually, the issue is that the shared socket doesn't have an init/alloc
function to do the LSM
() and
tcp_v4_timewait_ack(), any reason why we can't propagate the socket down to
ip_send_unicast_reply()?
--
paul moore
www.paul-moore.com
--
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to majord...@vger.kernel.org
More majordomo info at http
On Thu, Aug 9, 2012 at 10:27 AM, Eric Dumazet eric.duma...@gmail.com wrote:
On Thu, 2012-08-09 at 09:30 -0400, Paul Moore wrote:
In the case of a TCP syn-recv and timewait ACK things are a little less
clear.
Eric (Dumazet), it looks like we have a socket in tcp_v4_reqsk_send_ack
() will populate sk-sk_security pointer,
subsequent ones will reuse existing context.
Reported-by: John Stultz johns...@us.ibm.com
Bisected-by: John Stultz johns...@us.ibm.com
Signed-off-by: Eric Dumazet eduma...@google.com
Cc: Paul Moore p...@paul-moore.com
Cc: Eric Paris epa...@parisplace.org
Cc
On Thu, Aug 9, 2012 at 11:36 AM, Eric Dumazet eric.duma...@gmail.com wrote:
On Thu, 2012-08-09 at 11:07 -0400, Paul Moore wrote:
Is is possible to do the call to security_sk_alloc() in the ip_init()
function
or does the per-cpu nature of the socket make this a pain?
Its a pain, if we want
this patch, or something like it, go in now to resolve the kernel
panic, and fix the labeling later.
--
paul moore
www.paul-moore.com
--
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org
mean by the above?
I'm asking because I'm not convinced the labeling, either the old way
or the new way, was 100% correct and I think we're going to need to
change things regardless. I'm just not sure what the right solution
is just yet.
--
paul moore
www.paul-moore.com
--
To unsubscribe from
patches have been posted from different authors, all fixing the same
thing ...
Acked-by: Paul Moore p...@paul-moore.com
--
paul moore
www.paul-moore.com
--
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to majord...@vger.kernel.org
More majordomo info
On Thursday 07 February 2008 3:04:59 pm Andrew Morton wrote:
On Thu, 7 Feb 2008 14:50:41 -0500
Paul Moore [EMAIL PROTECTED] wrote:
On Thursday 07 February 2008 2:02:06 pm [EMAIL PROTECTED] wrote:
The patch titled
Smack: unlabeled outgoing ambient packets
has been added
On Thursday 07 February 2008 8:34:02 pm David Miller wrote:
From: Paul Moore [EMAIL PROTECTED]
Date: Thu, 7 Feb 2008 15:14:34 -0500
My apologies, those mailing list postings there haven't hit my inbox yet.
I had to remove you a few days ago, see my other reply to
Andrew.
You are back
On Thursday 07 February 2008 9:15:19 pm David Miller wrote:
From: Paul Moore [EMAIL PROTECTED]
Date: Thu, 7 Feb 2008 20:54:56 -0500
I have no idea what was causing the mail problem, probably somebody
in our IT department playing around with some new knobs, oh well. I
resubscribed
of IPv4 options causing SSH to reject the connection.
It turns out that SSH is being a bit overzealous (rejecting all IPv4
options) in trying to reject source-routed packets.
--
paul moore
linux security @ hp
--
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body
;
}
/**
* selinux_netlbl_cache_invalidate - Invalidate the NetLabel cache
*
* Description:
* Invalidate the NetLabel security attribute mapping cache.
*
*/
--
paul moore
linux security @ hp
--
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to [EMAIL PROTECTED
On Monday 28 January 2008 5:35:40 pm Adrian Bunk wrote:
On Mon, Jan 28, 2008 at 05:23:46PM -0500, Paul Moore wrote:
Thanks for finding this mistake, however, I'd rather see it fixed
by removing the netlbl_secattr_destroy() call in
security_netlbl_sid_to_secattr() as it really shouldn't
in
selinux_netlbl_sock_setsid().
Signed-off-by: Paul Moore [EMAIL PROTECTED]
---
security/selinux/ss/services.c |1 -
1 files changed, 0 insertions(+), 1 deletions(-)
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 4bf715d..3a16aba 100644
--- a/security/selinux/ss
On Monday 28 January 2008 10:51:24 pm David Miller wrote:
From: Paul Moore [EMAIL PROTECTED]
Date: Mon, 28 Jan 2008 21:20:26 -0500
As pointed out by Adrian Bunk, commit
45c950e0f839fded922ebc0bfd59b1081cc71b70 caused a double-free when
security_netlbl_sid_to_secattr() fails. This patch
On Tuesday 15 January 2008 8:05:27 pm James Morris wrote:
On Tue, 15 Jan 2008, David Howells wrote:
secid_to_secctx() LSM hook. This patch also includes the SELinux
implementation for this hook.
Signed-off-by: Paul Moore [EMAIL PROTECTED]
Acked-by: Stephen Smalley [EMAIL PROTECTED
On Wednesday 16 January 2008 5:13:53 pm James Morris wrote:
On Wed, 16 Jan 2008, Paul Moore wrote:
On Tuesday 15 January 2008 8:05:27 pm James Morris wrote:
On Tue, 15 Jan 2008, David Howells wrote:
secid_to_secctx() LSM hook. This patch also includes the SELinux
implementation
(secattr);
+ rc = smack_netlabel(sk);
I haven't checked the latest SMACK bits, but I'm pretty sure you don't
need to assign the return value of 'smack_netlabel()' to anything here
since the function doesn't return a value.
}
/**
--
paul moore
linux security @ hp
--
To unsubscribe from
.git;a=commit;h=4c3a0a254e5d706d3fe01bf42261534858d05586
--
paul moore
linux security @ hp
--
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ
On Friday 15 February 2008 4:00:26 pm Casey Schaufler wrote:
--- Paul Moore [EMAIL PROTECTED] wrote:
On Friday 15 February 2008 12:38:49 am Casey Schaufler wrote:
From: Casey Schaufler [EMAIL PROTECTED]
Smack uses CIPSO labeling, but allows for unlabeled packets
by specifying
On Friday 15 February 2008 4:00:26 pm Casey Schaufler wrote:
--- Paul Moore [EMAIL PROTECTED] wrote:
On Friday 15 February 2008 12:38:49 am Casey Schaufler wrote:
... you shouldn't fix-up the return value from
netlbl_sock_setattr(). It only returns an error when there really
is an error
security_secctx_to_secid()
using existing underlying code.
Fill in audit data for netlbl domain calls.
Collapse unnecessary multiple assignments.
Signed-off-by: Casey Schaufler [EMAIL PROTECTED]
Looks good to me, thanks for making those changes.
Acked-by: Paul Moore [EMAIL PROTECTED
On Friday 22 February 2008 2:58:07 pm Adrian Bunk wrote:
This patch makes the needlessly global smk_unlbl_ambient() static.
Signed-off-by: Adrian Bunk [EMAIL PROTECTED]
Fine with me.
Acked-by: Paul Moore [EMAIL PROTECTED]
---
60c7072cb922cdecdb8a4f08e5710c014e0e8a8c diff --git
a/security
thoughts).
I'm still reviewing the rest of the AF_BUS patches but wanted to ask this now
in case I was missing something.
--
paul moore
www.paul-moore.com
--
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to majord...@vger.kernel.org
More majordomo
=selinux_socket_unix_may_send,
+ .bus_connect = selinux_socket_bus_connect,
.socket_create =selinux_socket_create,
.socket_post_create = selinux_socket_post_create,
--
paul moore
www.paul-moore.com
--
To unsubscribe from this list: send the line
in userspace just
isn't practical in every case.
Syslog might not be the answer, but RET_TRAP and the audit log aren't very
good answers either.
--
paul moore
security and virtualization @ redhat
--
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message
out for re-discussion/review.
--
paul moore
security and virtualization @ redhat
--
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ
.
Signed-off-by: Corey Bryant cor...@linux.vnet.ibm.com
Were do things currently stand with this patchset? It still seems like a
reasonable addition to me.
--
paul moore
security and virtualization @ redhat
--
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body
PROTECTED], Paul Moore [EMAIL PROTECTED]
On Fri, 13 Jul 2007, Michal Piotrowski wrote:
My system is too secure, I can not login :)
Do you have CONFIG_NETLABEL=y ?
If so, please try disabling it.
Disabling NetLabel should solve the problem. The recommended solution to this
problem
spinlock to a RCU locking mechanism
would this solve the preemption problem (I'm not a lock expert either)? If
so, can anyone think of any reasons why converting the policy lock to RCU is
a bad idea (James, Stephen, the other James)?
--
paul moore
linux security @ hp
-
To unsubscribe from this list
On Monday 04 June 2007 5:39:00 pm Stephen Smalley wrote:
On Mon, 2007-06-04 at 17:11 -0400, Paul Moore wrote:
I'm not an expert on the SELinux security server guts like the other
people on the To/CC line of this thread, but here are my two cents on the
issue above.
From what I can tell
-Original Message-
From: Stephen Smalley [EMAIL PROTECTED]
Date: Friday, Jul 13, 2007 3:30 pm
Subject: Re: The art of breaking userspace (was Re: [GIT] SELinux changes
for 2.6.23 (updated))
To: Michal Piotrowski [EMAIL PROTECTED]
CC: Paul Moore [EMAIL PROTECTED], [EMAIL PROTECTED
that Michal reported.
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
, since then the people involved would have seen the _correct_
example in the first version)
Oh my. I'll fix this and get another version out to James and Michal tomorrow
morning; I have to spend the rest of the night smacking myself in the
forehead.
--
paul moore
linux security @ hp
into a single block to ease future review as recommended by Linus.
Signed-off-by: Paul Moore [EMAIL PROTECTED]
---
include/net/netlabel.h | 62 -
net/netlabel/netlabel_cipso_v4.c |5 +++
net/netlabel/netlabel_kapi.c | 21
net/netlabel
, thank you all for your patience.
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org
will not notice any
difference.
Signed-off-by: Paul Moore [EMAIL PROTECTED]
---
security/selinux/hooks.c| 21 +++--
security/selinux/netlabel.c | 41 -
2 files changed, 31 insertions(+), 31 deletions(-)
Index: linux-2.6_netmsg_3/security
Paris epa...@parisplace.org
Cc: Paul Moore pmo...@redhat.com
Cc: linux-kernel@vger.kernel.org
Cc: linux-security-mod...@vger.kernel.org
Signed-off-by: Cong Wang amw...@redhat.com
Perhaps I'm confusing this with another patch but I though DaveM said he
wasn't going to merge these patches
in the SELinux tree
so I've pruned them from the lblnet-next tree.
Thanks for your understanding,
-Paul
--
paul moore
www.paul-moore.com
--
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to majord...@vger.kernel.org
More majordomo info at http
majordomo info at http://vger.kernel.org/majordomo-info.html
--
paul moore
www.paul-moore.com
--
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read
can't ever think of a time when I asked
Linus' to pull a tree of mine directly.
If this approach doesn't work for you, please let me know and preferably
suggest an alternative.
-Paul
--
paul moore
www.paul-moore.com
--
To unsubscribe from this list: send the line unsubscribe linux-kernel
if PEERSEC_SECURITY_SELINUX
+ default (all) if PEERSEC_SECURITY_ALL
+ default (first)
+ help
+ The name of the LSM to use with Netlabel
config SECURITY_PATH
bool Security hooks for pathname based access control
--
paul moore
www.paul-moore.com
--
To unsubscribe from this list
. You get the idea ...
--
paul moore
www.paul-moore.com
--
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
On Wednesday, July 31, 2013 08:45:52 AM Casey Schaufler wrote:
On 7/30/2013 2:47 PM, Paul Moore wrote:
On Thursday, July 25, 2013 11:32:23 AM Casey Schaufler wrote:
Subject: [PATCH v14 5/6] LSM: SO_PEERSEC configuration options
Refine the handling of SO_PEERSEC to enable legacy
user
On Wednesday, July 31, 2013 09:22:23 AM Casey Schaufler wrote:
On 7/30/2013 3:08 PM, Paul Moore wrote:
On Thursday, July 25, 2013 11:32:11 AM Casey Schaufler wrote:
Subject: [PATCH v14 3/6] LSM: Explicit individual LSM associations
Expand the /proc/.../attr interface set to help include
On Wednesday, July 31, 2013 02:21:54 PM Casey Schaufler wrote:
On 7/31/2013 12:39 PM, Paul Moore wrote:
On Wednesday, July 31, 2013 09:22:23 AM Casey Schaufler wrote:
On 7/30/2013 3:08 PM, Paul Moore wrote:
On Thursday, July 25, 2013 11:32:11 AM Casey Schaufler wrote:
Subject: [PATCH v14
On Thursday, August 01, 2013 11:52:14 AM Casey Schaufler wrote:
On 8/1/2013 11:35 AM, Paul Moore wrote:
Okay, so if I understand everything correctly, there are no new entries in
/proc relating specifically to NetLabel, XFRM, or Secmark; although there
are new LSM specific entries
On Thursday, August 01, 2013 03:15:00 PM Casey Schaufler wrote:
On 8/1/2013 2:30 PM, Paul Moore wrote:
On Thursday, August 01, 2013 11:52:14 AM Casey Schaufler wrote:
On 8/1/2013 11:35 AM, Paul Moore wrote:
Okay, so if I understand everything correctly, there are no new entries
in
/proc
cleanup right now, it
should be back up shortly. That said, it should be empty today so no worries
if you want to skip it today.
-Paul
--
paul moore
www.paul-moore.com
--
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to majord...@vger.kernel.org
1 - 100 of 2279 matches
Mail list logo