Re: SELinux Namespace on bind mounted files

On Thu, 8 Mar 2018, Daniel Walsh wrote: > I am not a big fan of Namespaced SELinux.  I think it complicates things and > will confuse people.  I would think a better solution would be to run your > container with a different type so that you could allow access t othese file > types. > > It would

Re: [PATCH] libsepol: Prevent freeing unitialized value in ibendport handling

On Wed, Mar 7, 2018 at 4:05 PM, James Carter wrote: > Nicolas Iooss reports: > In sepol_ibendport_key_create(), if sepol_ibendport_alloc_ibdev_name() > fails to allocate tmp_key->ibdev_name, sepol_ibendport_key_free() is > called to free the memory associated with tmp_key,

Re: Re: [PATCH 2/3] libsepol: cil: show an error when cil_expr_to_string() fails

On 03/08/2018 03:42 PM, Nicolas Iooss wrote: > On Tue, Mar 6, 2018 at 10:29 PM, Stephen Smalley wrote: >> On 03/05/2018 05:58 PM, Nicolas Iooss wrote: >>> cil_tree_print_expr() calls cil_expr_to_string() in order to compute a >>> string expression into expr_str. If this

Re: [PATCH] net: don't unnecessarily load kernel modules in dev_ioctl()

On 03/08/2018 10:11 AM, David Miller wrote: Yeah, understood. At small scale the current behavior maybe made sense, but these days it really doesn't. No objections to the knob if you want to submit it. Thanks David, I have rebased my patch and sent it. New numbers on net-next are

Re: [PATCH 1/1] libselinux, libsemanage: Replace PYSITEDIR with PYTHONLIBDIR

On Thu, Mar 8, 2018 at 8:34 PM, Stephen Smalley wrote: > On 03/06/2018 04:19 PM, Stephen Smalley wrote: >> On 03/05/2018 05:16 PM, Nicolas Iooss wrote: >>> libselinux and libsemanage Makefiles invoke site.getsitepackages() in >>> order to get the path to the directory

Re: [PATCH 2/3] libsepol: cil: show an error when cil_expr_to_string() fails

On Tue, Mar 6, 2018 at 10:29 PM, Stephen Smalley wrote: > On 03/05/2018 05:58 PM, Nicolas Iooss wrote: >> cil_tree_print_expr() calls cil_expr_to_string() in order to compute a >> string expression into expr_str. If this function fails, expr_str is >> left unitialized but its

Re: [PATCH 3/3] libsemanage: replace access() checks to make setuid programs work

On 03/07/2018 09:59 AM, Stephen Smalley wrote: > On 03/06/2018 06:58 AM, Vit Mojzis wrote: >> access() uses real UID instead of effective UID which causes false >> negative checks in setuid programs. >> Replace access(,F_OK) (i.e. tests for file existence) by stat(). >> And access(,R_OK) by

[PATCH] libsepol: Export sepol_polcap_getnum/name functions

Export the sepol_polcap_getnum/name() functions to users of the shared library. This will enable SETools to stop depending on the static library. Note that we may want to move polcaps.h up one level since the convention is that headers directly under include/sepol are shared library APIs while

Re: [PATCH 2/3] libsemanage: remove access() check to make setuid programs work

On 03/06/2018 06:58 AM, Vit Mojzis wrote: > F_OK access checks only work properly as long as all directories along > the path are accessible to real user running the program. > Replace F_OK access checks by testing return value of open, write, etc. Applied patches 1 and 2 (not 3 as per my

Re: [PATCH 3/3] libsemanage: silence clang static analyzer report

On 03/05/2018 05:58 PM, Nicolas Iooss wrote: > clang's static analyzer reports an out-of-bound array access in > semanage_user_roles() when num_roles is zero, with the following > statement: > > strcpy(roles,roles_arr[0]); > > When num_roles is zero, roles_arr[0] is not uninitialized and

Re: [PATCH 1/1] libselinux, libsemanage: Replace PYSITEDIR with PYTHONLIBDIR

On 03/06/2018 04:19 PM, Stephen Smalley wrote: > On 03/05/2018 05:16 PM, Nicolas Iooss wrote: >> libselinux and libsemanage Makefiles invoke site.getsitepackages() in >> order to get the path to the directory /usr/lib/pythonX.Y/site-packages >> that matches the Python interpreter chosen with

Re: [PATCH] net: don't unnecessarily load kernel modules in dev_ioctl()

From: Eric Dumazet Date: Thu, 8 Mar 2018 10:05:12 -0800 > Another problematic legacy behavior is the automatic creation of > fallback tunnels, which hurts netns creation/deletion. > > Some environments want to create a netns for every job/task, and they > do not care if

Re: [PATCH] net: don't unnecessarily load kernel modules in dev_ioctl()

On 03/08/2018 09:34 AM, David Miller wrote: From: Stephen Hemminger Date: Tue, 6 Mar 2018 15:59:20 -0800 Actually dev_load by ethernet name is really a legacy thing that should just die, It was kept around so that some very tunnel configuration using special

Re: [PATCH] net: don't unnecessarily load kernel modules in dev_ioctl()

From: Stephen Hemminger Date: Tue, 6 Mar 2018 15:59:20 -0800 > Actually dev_load by ethernet name is really a legacy thing that > should just die, > > It was kept around so that some very tunnel configuration using special names. > > # ifconfig sit0 > > which

Re: SELinux Namespace on bind mounted files

On 03/08/2018 01:20 PM, Stephen Smalley wrote: On 03/08/2018 05:55 AM, Zvonko Kosic wrote: I've seen the presentation by James Morrison about  namespacing SELinux and I have a question regarding a special case we have in our environment. We have third party prestart runtime hooks for docker

Re: SELinux Namespace on bind mounted files

On 03/08/2018 05:55 AM, Zvonko Kosic wrote: > I've seen the presentation by James Morrison about  namespacing SELinux and I > have a question regarding a special case we have in our environment.  > > We have third party prestart runtime hooks for docker which bind mount > files from the host

[PATCH 4/8] LSM: Manage task security blobs

Subject: [PATCH 4/8] LSM: Manage task security blobs Move management of task security blobs into the security infrastructure. Modules are required to identify the space they require. At this time there are no modules that use task blobs. Signed-off-by: Casey Schaufler

[PATCH 5/8] LSM: Manage remaining security blobs

Subject: [PATCH 5/8] LSM: Manage remaining security blobs Move management of the inode, ipc, key, msg_msg, sock and superblock security blobs from the security modules to the infrastructure. Use of the blob pointers is abstracted in the security modules. Signed-off-by: Casey Schaufler

[PATCH 2/8] LSM: Manage credential security blobs

Subject: [PATCH 2/8] LSM: Manage credential security blobs Move the management of credential security blobs from the individual security modules to the security infrastructure. The security modules using credential blobs have been updated accordingly. Modules are required to identify the space

[PATCH 3/8] LSM: Manage file security blobs

Subject: [PATCH 3/8] LSM: Manage file security blobs Move the management of file security blobs from the individual security modules to the security infrastructure. The security modules using file blobs have been updated accordingly. Modules are required to identify the space they need at module

[PATCH 8/8] LSM: Full security module stacking

Subject: [PATCH 8/8] LSM: Full security module stacking Allow any combination of existing security modules, including those using secids and security marked networking. The interfaces used by filesystems to maintain security attributes: security_inode_setsecctx

[PATCH 1/8] procfs: add smack subdir to attrs

Subject: [PATCH 1/8] procfs: add smack subdir to attrs Back in 2007 I made what turned out to be a rather serious mistake in the implementation of the Smack security module. The SELinux module used an interface in /proc to manipulate the security context on processes. Rather than use a similar

[PATCH 6/8] LSM: General stacking

Subject: [PATCH 6/8] LSM: General stacking Leverage the infrastructure management of the security blobs to allow stacking of security modules in all but the most extreme case. Security modules are informed of the location of their data within the blobs at module initialization. Stacking is

[PATCH 7/8] LSM: Multiple security mount options

Subject: [PATCH 7/8] LSM: Multiple security mount options There needs to be separate data for each of the security modules that support mount options. Expand the security_mnt_opts structure to include an entry for each security module that uses them. It would be better to have a variable size

[PATCH 0/8] LSM: Security module stacking

Subject: [PATCH 0/8] LSM: Security module stacking Move the management of Linux Security Module (LSM) data blobs out of the individual modules and into the LSM infrastructure. The modules are now required to declare how much space they need for each sort of blob used. This will allow modules that

SELinux Namespace on bind mounted files

I've seen the presentation by James Morrison about namespacing SELinux and I have a question regarding a special case we have in our environment. We have third party prestart runtime hooks for docker which bind mount files from the host into the container image, which have the wrong label. To