Re: Fwd: Qwery regarding Selinux Change Id context

Hi Stephen, Below is the output of command : * sestatus -v output* *SELinux status: enabled* *SELinuxfs mount:/sys/fs/selinux* *SELinux root directory: /etc/selinux* *Loaded policy name: targeted* *Current mode: enforcing* *Mod

Re: [PATCH 1/1] networkmanager: Grant access to unlabeled PKeys

On 11/27/2017 05:50 PM, Paul Moore wrote: On Mon, Nov 27, 2017 at 3:04 PM, Daniel Jurgens wrote: On 11/27/2017 10:19 AM, Paul Moore wrote: On Mon, Nov 27, 2017 at 9:03 AM, Dan Jurgens wrote: From: Daniel Jurgens For controlling IPoIB VLANs Reported-by: Honggang LI Signed-off-by: Daniel J

Re: [PATCH V3 2/2] IMA: Support using new creds in appraisal policy

On Tue, 2017-11-28 at 13:37 -0800, Matthew Garrett wrote: > On Tue, Nov 28, 2017 at 1:35 PM, Mimi Zohar wrote: > > On Tue, 2017-11-28 at 13:22 -0800, Matthew Garrett wrote: > >> We need to check against the appropriate credentials structure, and > >> since we're doing this before commit_creds() ha

Re: [PATCH V3 2/2] IMA: Support using new creds in appraisal policy

On Tue, 2017-11-28 at 13:22 -0800, Matthew Garrett wrote: > On Tue, Nov 28, 2017 at 12:48 PM, Mimi Zohar wrote: > > Hi Matthew, > > > > On Thu, 2017-10-26 at 01:40 -0700, Matthew Garrett wrote: > > > The existing BPRM_CHECK functionality in IMA validates against the > > > credentials of the existi

Re: [PATCH V3 2/2] IMA: Support using new creds in appraisal policy

On Tue, Nov 28, 2017 at 12:48 PM, Mimi Zohar wrote: > Hi Matthew, > > On Thu, 2017-10-26 at 01:40 -0700, Matthew Garrett wrote: > > The existing BPRM_CHECK functionality in IMA validates against the > > credentials of the existing process, not any new credentials that the > > child process may tra

Re: [PATCH V3 2/2] IMA: Support using new creds in appraisal policy

Hi Matthew, On Thu, 2017-10-26 at 01:40 -0700, Matthew Garrett wrote: > The existing BPRM_CHECK functionality in IMA validates against the > credentials of the existing process, not any new credentials that the > child process may transition to. Add an additional CREDS_CHECK target > and refactor

Re: [PATCH 4/4] selinux: Add SCTP support

On Tue, 2017-11-28 at 14:39 -0500, Stephen Smalley wrote: > On Mon, 2017-11-27 at 19:32 +, Richard Haines wrote: > > The SELinux SCTP implementation is explained in: > > Documentation/security/SELinux-sctp.rst > > > > Signed-off-by: Richard Haines > > --- > >  Documentation/security/SELinux-s

Re: [PATCH 4/4] selinux: Add SCTP support

On Mon, 2017-11-27 at 19:32 +, Richard Haines wrote: > The SELinux SCTP implementation is explained in: > Documentation/security/SELinux-sctp.rst > > Signed-off-by: Richard Haines > --- >  Documentation/security/SELinux-sctp.rst | 104 >  security/selinux/hooks.c|

Re: [PATCH v2] libsemanage: Use umask(0077) for fopen() write operations

On Mon, 2017-11-27 at 21:33 +0100, Petr Lautrbach wrote: > When a calling process uses umask(0) some files in the SELinux module > store can be created to be world writeable. With this patch, > libsemanage > sets umask(0077) before fopen() operations and restores the original > umask value when it'

[PATCH 1/4] security: Add support for SCTP security hooks

The SCTP security hooks are explained in: Documentation/security/LSM-sctp.rst Signed-off-by: Richard Haines --- Documentation/security/LSM-sctp.rst | 194 include/linux/lsm_hooks.h | 35 +++ include/linux/security.h| 25 + secu

[PATCH 0/4] Add SELinux SCTP protocol support

The kernel patches have been built on Fedora 27 with kernel 4.13.12 plus the following userspace patches to enable testing: 1) Updates to libsepol 2.7 to support the sctp portcon statement. The patch is available from: http://arctic.selinuxproject.org/~rhaines/selinux-sctp/ se

[PATCH 3/4] sctp: Add LSM hooks

Add security hooks to allow security modules to exercise access control over SCTP. Signed-off-by: Richard Haines --- include/net/sctp/structs.h | 10 include/uapi/linux/sctp.h | 1 + net/sctp/sm_make_chunk.c | 12 + net/sctp/sm_statefuns.c| 18 ++ net/sctp/so

[PATCH 2/4] sctp: Add ip option support

Add ip option support to allow LSM security modules to utilise CIPSO/IPv4 and CALIPSO/IPv6 services. Signed-off-by: Richard Haines --- include/net/sctp/structs.h | 2 ++ net/sctp/chunk.c | 13 - net/sctp/ipv6.c| 42 +++--- ne

[PATCH 4/4] selinux: Add SCTP support

The SELinux SCTP implementation is explained in: Documentation/security/SELinux-sctp.rst Signed-off-by: Richard Haines --- Documentation/security/SELinux-sctp.rst | 104 security/selinux/hooks.c| 278 +--- security/selinux/include/classmap

Re: [PATCH 1/1] networkmanager: Grant access to unlabeled PKeys

On 11/27/2017 10:19 AM, Paul Moore wrote: > On Mon, Nov 27, 2017 at 9:03 AM, Dan Jurgens wrote: >> From: Daniel Jurgens >> >> For controlling IPoIB VLANs >> >> Reported-by: Honggang LI >> Signed-off-by: Daniel Jurgens >> Tested-by: Honggang LI >> --- >> networkmanager.te |2 ++ >> 1 files

[PATCH v2] libsemanage: Use umask(0077) for fopen() write operations

When a calling process uses umask(0) some files in the SELinux module store can be created to be world writeable. With this patch, libsemanage sets umask(0077) before fopen() operations and restores the original umask value when it's done. Fixes: drwx--. /var/lib/selinux/targeted/active -rw-rw