On Thu, Nov 2, 2017 at 8:58 AM, Stephen Smalley wrote:
> On Wed, 2017-11-01 at 17:39 -0400, Paul Moore wrote:
>> On Tue, Oct 31, 2017 at 7:08 PM, Florian Westphal
>> wrote:
>> > Paul Moore wrote:
>> > > On Mon, Oct 30, 2017 at 10:58 AM,
On Wed, 2017-11-01 at 17:39 -0400, Paul Moore wrote:
> On Tue, Oct 31, 2017 at 7:08 PM, Florian Westphal
> wrote:
> > Paul Moore wrote:
> > > On Mon, Oct 30, 2017 at 10:58 AM, Stephen Smalley > > gov> wrote:
> > > > matching before (as in
On Tue, Oct 31, 2017 at 7:08 PM, Florian Westphal wrote:
> Paul Moore wrote:
>> On Mon, Oct 30, 2017 at 10:58 AM, Stephen Smalley wrote:
>> > matching before (as in this patch) or after calling xfrm_bundle_ok()?
>>
>> I would probably
On Wed, 2017-11-01 at 00:08 +0100, Florian Westphal wrote:
> Paul Moore wrote:
> > On Mon, Oct 30, 2017 at 10:58 AM, Stephen Smalley > v> wrote:
> > > matching before (as in this patch) or after calling
> > > xfrm_bundle_ok()?
> >
> > I would probably
Paul Moore wrote:
> On Mon, Oct 30, 2017 at 10:58 AM, Stephen Smalley wrote:
> > matching before (as in this patch) or after calling xfrm_bundle_ok()?
>
> I would probably make the LSM call the last check, as you've done; but
> I have to say that is just
On Mon, Oct 30, 2017 at 10:58 AM, Stephen Smalley wrote:
> Since 4.14-rc1, the selinux-testsuite has been encountering sporadic
> failures during testing of labeled IPSEC. git bisect pointed to
> commit ec30d78c14a813db39a647b6a348b4286 ("xfrm: add xdst pcpu cache").
> The
Stephen Smalley wrote:
> It is a regression; the correct SA was being used prior to the xdst
> pcpu cache commit.
I don't doubt that at all. I would like to understand why the flow
cache did not have this problem.
> easily run on a Fedora VM,
> git clone
On Tue, 2017-10-31 at 09:43 -0400, Stephen Smalley wrote:
> On Tue, 2017-10-31 at 12:11 +0100, Florian Westphal wrote:
> > Stephen Smalley wrote:
> > > Since 4.14-rc1, the selinux-testsuite has been encountering
> > > sporadic
> > > failures during testing of labeled IPSEC.
On Tue, 2017-10-31 at 12:11 +0100, Florian Westphal wrote:
> Stephen Smalley wrote:
> > Since 4.14-rc1, the selinux-testsuite has been encountering
> > sporadic
> > failures during testing of labeled IPSEC. git bisect pointed to
> > commit ec30d78c14a813db39a647b6a348b4286
Stephen Smalley wrote:
> Since 4.14-rc1, the selinux-testsuite has been encountering sporadic
> failures during testing of labeled IPSEC. git bisect pointed to
> commit ec30d78c14a813db39a647b6a348b4286 ("xfrm: add xdst pcpu cache").
> The xdst pcpu cache is only checking that
Since 4.14-rc1, the selinux-testsuite has been encountering sporadic
failures during testing of labeled IPSEC. git bisect pointed to
commit ec30d78c14a813db39a647b6a348b4286 ("xfrm: add xdst pcpu cache").
The xdst pcpu cache is only checking that the policies are the same,
but does not validate
commit ec30d78c14a813db39a647b6a348b4286 ("xfrm: add xdst pcpu cache")
introduced a regression in the use of labeled IPSEC. The cache was only
checking that the policies are the same, but did not validate that the
policy, state, and flow matched with respect to security context labeling.
As a
12 matches
Mail list logo