Re: Login broken with old userspace (was Re: [PATCH v2] selinux: introduce an initial SID for early boot processes)

2023-08-01 Thread Paul Moore
On Tue, Aug 1, 2023 at 9:24 AM Ondrej Mosnacek wrote: > On Fri, Jul 28, 2023 at 5:12 PM Paul Moore wrote: > > > > On Fri, Jul 28, 2023 at 9:24 AM Christian Göttsche > > wrote: > > > > > > On Fri, 28 Jul 2023 at 15:14, Ondrej Mosnacek wrote: > > > > > > > > On Fri, Jul 28, 2023 at 1:52 PM

Re: Login broken with old userspace (was Re: [PATCH v2] selinux: introduce an initial SID for early boot processes)

2023-08-01 Thread Ondrej Mosnacek
On Fri, Jul 28, 2023 at 5:12 PM Paul Moore wrote: > > On Fri, Jul 28, 2023 at 9:24 AM Christian Göttsche > wrote: > > > > On Fri, 28 Jul 2023 at 15:14, Ondrej Mosnacek wrote: > > > > > > On Fri, Jul 28, 2023 at 1:52 PM Stephen Smalley > > > wrote: > > > > > > > > On Fri, Jul 28, 2023 at 7:36 

Re: Login broken with old userspace (was Re: [PATCH v2] selinux: introduce an initial SID for early boot processes)

2023-07-29 Thread Michael Ellerman
Ondrej Mosnacek writes: > On Fri, Jul 28, 2023 at 4:12 AM Michael Ellerman wrote: >> >> Ondrej Mosnacek writes: >> > Currently, SELinux doesn't allow distinguishing between kernel threads >> > and userspace processes that are started before the policy is first >> > loaded - both get the label

Re: Login broken with old userspace (was Re: [PATCH v2] selinux: introduce an initial SID for early boot processes)

2023-07-28 Thread Paul Moore
On Fri, Jul 28, 2023 at 9:24 AM Christian Göttsche wrote: > > On Fri, 28 Jul 2023 at 15:14, Ondrej Mosnacek wrote: > > > > On Fri, Jul 28, 2023 at 1:52 PM Stephen Smalley > > wrote: > > > > > > On Fri, Jul 28, 2023 at 7:36 AM Ondrej Mosnacek > > > wrote: > > > > > > > > On Fri, Jul 28, 2023

Re: Login broken with old userspace (was Re: [PATCH v2] selinux: introduce an initial SID for early boot processes)

2023-07-28 Thread Christian Göttsche
On Fri, 28 Jul 2023 at 15:14, Ondrej Mosnacek wrote: > > On Fri, Jul 28, 2023 at 1:52 PM Stephen Smalley > wrote: > > > > On Fri, Jul 28, 2023 at 7:36 AM Ondrej Mosnacek wrote: > > > > > > On Fri, Jul 28, 2023 at 4:12 AM Michael Ellerman > > > wrote: > > > > > > > > Ondrej Mosnacek writes: >

Re: Login broken with old userspace (was Re: [PATCH v2] selinux: introduce an initial SID for early boot processes)

2023-07-28 Thread Ondrej Mosnacek
On Fri, Jul 28, 2023 at 1:52 PM Stephen Smalley wrote: > > On Fri, Jul 28, 2023 at 7:36 AM Ondrej Mosnacek wrote: > > > > On Fri, Jul 28, 2023 at 4:12 AM Michael Ellerman > > wrote: > > > > > > Ondrej Mosnacek writes: > > > > Currently, SELinux doesn't allow distinguishing between kernel

Re: Login broken with old userspace (was Re: [PATCH v2] selinux: introduce an initial SID for early boot processes)

2023-07-28 Thread Stephen Smalley
On Fri, Jul 28, 2023 at 7:36 AM Ondrej Mosnacek wrote: > > On Fri, Jul 28, 2023 at 4:12 AM Michael Ellerman wrote: > > > > Ondrej Mosnacek writes: > > > Currently, SELinux doesn't allow distinguishing between kernel threads > > > and userspace processes that are started before the policy is

Re: Login broken with old userspace (was Re: [PATCH v2] selinux: introduce an initial SID for early boot processes)

2023-07-28 Thread Ondrej Mosnacek
On Fri, Jul 28, 2023 at 4:12 AM Michael Ellerman wrote: > > Ondrej Mosnacek writes: > > Currently, SELinux doesn't allow distinguishing between kernel threads > > and userspace processes that are started before the policy is first > > loaded - both get the label corresponding to the kernel SID.

Login broken with old userspace (was Re: [PATCH v2] selinux: introduce an initial SID for early boot processes)

2023-07-27 Thread Michael Ellerman
Ondrej Mosnacek writes: > Currently, SELinux doesn't allow distinguishing between kernel threads > and userspace processes that are started before the policy is first > loaded - both get the label corresponding to the kernel SID. The only > way a process that persists from early boot can get a