[PATCH] Modify audit2why analyze function to use loaded policy
Class and perms should come from the policy being used for analysis, not the system policy so use sepol_ interfaces Change-Id: Ia0590ed2514249fd98810a8d4fe87f8bf5280561 --- libselinux/src/audit2why.c | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libselinux/src/audit2why.c b/libselinux/src/audit2why.c index 12745b3..abe1701 100644 --- a/libselinux/src/audit2why.c +++ b/libselinux/src/audit2why.c @@ -343,8 +343,8 @@ static PyObject *analyze(PyObject *self __attribute__((unused)) , PyObject *args if (rc < 0) RETURN(BADTCON) - tclass = string_to_security_class(tclassstr); - if (!tclass) + rc = sepol_string_to_security_class(tclassstr, ); + if (rc < 0) RETURN(BADTCLASS) /* Convert the permission list to an AV. */ @@ -365,8 +365,8 @@ static PyObject *analyze(PyObject *self __attribute__((unused)) , PyObject *args permstr = PyString_AsString( strObj ); #endif - perm = string_to_av_perm(tclass, permstr); - if (!perm) + rc = sepol_string_to_av_perm(tclass, permstr, ); + if (rc < 0) RETURN(BADPERM) av |= perm; -- 2.1.0 ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: XWindows and CLIP?
John Chludzinski wrote: What are the issues with XWindows and CLIP? Why is CLIP XWindow-less? CLIP strives to be a minimal system suited to secure solutions and does not come with software not necessary for such systems (e.g., cross domain solutions). Is there something inherently unsecure with the XWindow client/server model? Xorg manages interactions between programs running under X itself and is therefore an object manager (similar to how an RDBMS is an object manager that manages rows and tables). There is work to extend SELinux controls to Xorg (XACE) but without using XACE and X SELinux policy you cannot meaningfully manage information flow between X applications uses SELinux. ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: Possible problem with e6afc8ac ("udp: remove headers from UDP packets before queueing")
On Wed, Jun 1, 2016 at 4:44 PM, Stephen Smalleywrote: > On 06/01/2016 03:18 PM, Eric Dumazet wrote: >> On Wed, 2016-06-01 at 15:01 -0400, Paul Moore wrote: >>> Hello, >>> >>> I'm currently trying to debug a problem with 4.7-rc1 and labeled >>> networking over UDP. I'm having some difficulty with the latest >>> 4.7-rc1 builds on my test system at the moment so I haven't been able >>> to concisely identify the problem, but looking through the commits in >>> 4.7-rc1 I think there may be a problem with the following: >>> >>> commit e6afc8ace6dd5cef5e812f26c72579da8806f5ac >>> Author: samanthakumar >>> Date: Tue Apr 5 12:41:15 2016 -0400 >>> >>>udp: remove headers from UDP packets before queueing >>> >>>Remove UDP transport headers before queueing packets for reception. >>>This change simplifies a follow-up patch to add MSG_PEEK support. >>> >>>Signed-off-by: Sam Kumar >>>Signed-off-by: Willem de Bruijn >>>Signed-off-by: David S. Miller >>> >>> ... it appears that this commit changes things so that sk_filter() is >>> only called when sk->sk_filter is not NULL. While this is fine for >>> the traditional socket filter case, it causes problems with LSMs that >>> make use of security_sock_rcv_skb() to enforce per-packet access >>> controls. >>> >>> Hopefully I'll get 4.7-rc1 booting soon and I can do a proper >>> bisection test around this patch, but I wanted to mention this now in >>> case others are seeing the same problem. >> >> Thanks for the report. Please try following fix. >> >> sk_filter() got additional features like the skb_pfmemalloc() things and >> security_sock_rcv_skb() > > This resolved the SELinux regression for me. > > Tested-by: Stephen Smalley The patch works for me too. Eric, are you going to send this to DaveM (assuming he isn't listening in on this thread and picking it up himself)? Tested-by: Paul Moore >> diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c >> index d56c0559b477..0ff31d97d485 100644 >> --- a/net/ipv4/udp.c >> +++ b/net/ipv4/udp.c >> @@ -1618,12 +1618,12 @@ int udp_queue_rcv_skb(struct sock *sk, struct >> sk_buff *skb) >> } >> } >> >> - if (rcu_access_pointer(sk->sk_filter)) { >> - if (udp_lib_checksum_complete(skb)) >> + if (rcu_access_pointer(sk->sk_filter) && >> + udp_lib_checksum_complete(skb)) >> goto csum_error; >> - if (sk_filter(sk, skb)) >> - goto drop; >> - } >> + >> + if (sk_filter(sk, skb)) >> + goto drop; >> >> udp_csum_pull_header(skb); >> if (sk_rcvqueues_full(sk, sk->sk_rcvbuf)) { >> diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c >> index 2da1896af934..f421c9f23c5b 100644 >> --- a/net/ipv6/udp.c >> +++ b/net/ipv6/udp.c >> @@ -653,12 +653,12 @@ int udpv6_queue_rcv_skb(struct sock *sk, struct >> sk_buff *skb) >> } >> } >> >> - if (rcu_access_pointer(sk->sk_filter)) { >> - if (udp_lib_checksum_complete(skb)) >> - goto csum_error; >> - if (sk_filter(sk, skb)) >> - goto drop; >> - } >> + if (rcu_access_pointer(sk->sk_filter) && >> + udp_lib_checksum_complete(skb)) >> + goto csum_error; >> + >> + if (sk_filter(sk, skb)) >> + goto drop; >> >> udp_csum_pull_header(skb); >> if (sk_rcvqueues_full(sk, sk->sk_rcvbuf)) { >> >> -- paul moore www.paul-moore.com ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
XWindows and CLIP?
What are the issues with XWindows and CLIP? Why is CLIP XWindow-less? Is there something inherently unsecure with the XWindow client/server model? ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: [RFC 1/2] selinux: Stop looking up dentries from inodes
On Wed, Jun 1, 2016 at 3:44 PM, Stephen Smalleywrote: > On 05/31/2016 11:22 AM, Andreas Gruenbacher wrote: >> With that fixed, could you possibly put this change to test? > > Falls over during boot in generic_getxattr(), which still needs a > non-NULL dentry in the work.selinux branch. dentry->d_sb needs to be changed to inode->i_sb there. > Is there a reason that this being done separately from work.xattr? I don't know how much work.xattr will shift still (and what I can still add there), and this change is unrelated, at least so far. > Also, if we aren't going to call d_find_alias() there, we can likely > also drop the dget() and dput(). Ah, yes. I'll remove those, thanks. Andreas ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
[PATCH] Sort object files for deterministic linking order
From: Laurent BigonvilleThis patch is part of the Debian effort to make the build reproducible Thank to Reiner Herrmann for the patches Signed-off-by: Laurent Bigonville --- libselinux/src/Makefile | 2 +- libsemanage/src/Makefile | 2 +- libsepol/src/Makefile| 8 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile index ac9a5d6..d94163e 100644 --- a/libselinux/src/Makefile +++ b/libselinux/src/Makefile @@ -49,7 +49,7 @@ ifeq ($(DISABLE_BOOL),y) endif GENERATED=$(SWIGCOUT) $(SWIGRUBYCOUT) selinuxswig_python_exception.i -SRCS= $(filter-out $(UNUSED_SRCS) $(GENERATED) audit2why.c, $(wildcard *.c)) +SRCS= $(filter-out $(UNUSED_SRCS) $(GENERATED) audit2why.c, $(sort $(wildcard *.c))) MAX_STACK_SIZE=32768 diff --git a/libsemanage/src/Makefile b/libsemanage/src/Makefile index d6c3f0f..96ee652 100644 --- a/libsemanage/src/Makefile +++ b/libsemanage/src/Makefile @@ -52,7 +52,7 @@ SWIGRUBYSO=$(RUBYPREFIX)_semanage.so LIBSO=$(TARGET).$(LIBVERSION) GENERATED=$(SWIGCOUT) $(SWIGRUBYCOUT) semanageswig_python_exception.i -SRCS= $(filter-out $(GENERATED),$(wildcard *.c)) +SRCS= $(filter-out $(GENERATED),$(sort $(wildcard *.c))) OBJS= $(patsubst %.c,%.o,$(SRCS)) conf-scan.o conf-parse.o LOBJS= $(patsubst %.c,%.lo,$(SRCS)) conf-scan.lo conf-parse.lo diff --git a/libsepol/src/Makefile b/libsepol/src/Makefile index c0c3274..b0c901f 100644 --- a/libsepol/src/Makefile +++ b/libsepol/src/Makefile @@ -18,15 +18,15 @@ TARGET=libsepol.so LIBPC=libsepol.pc LIBMAP=libsepol.map LIBSO=$(TARGET).$(LIBVERSION) -OBJS= $(patsubst %.c,%.o,$(wildcard *.c)) -LOBJS= $(patsubst %.c,%.lo,$(wildcard *.c)) +OBJS= $(patsubst %.c,%.o,$(sort $(wildcard *.c))) +LOBJS= $(patsubst %.c,%.lo,$(sort $(wildcard *.c))) CFLAGS ?= -Werror -Wall -W -Wundef -Wshadow -Wmissing-format-attribute -O2 override CFLAGS += -I. -I../include -D_GNU_SOURCE ifneq ($(DISABLE_CIL),y) -OBJS += $(sort $(patsubst %.c,%.o,$(wildcard $(CILDIR)/src/*.c) $(CIL_GENERATED))) -LOBJS += $(sort $(patsubst %.c,%.lo,$(wildcard $(CILDIR)/src/*.c) $(CIL_GENERATED))) +OBJS += $(sort $(patsubst %.c,%.o,$(sort $(wildcard $(CILDIR)/src/*.c)) $(CIL_GENERATED))) +LOBJS += $(sort $(patsubst %.c,%.lo,$(sort $(wildcard $(CILDIR)/src/*.c)) $(CIL_GENERATED))) override CFLAGS += -I$(CILDIR)/include endif -- 2.8.1 ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.