Re: [RFC PATCH] xfrm: fix regression introduced by xdst pcpu cache

2017-10-31 Thread Paul Moore
On Mon, Oct 30, 2017 at 10:58 AM, Stephen Smalley wrote: > Since 4.14-rc1, the selinux-testsuite has been encountering sporadic > failures during testing of labeled IPSEC. git bisect pointed to > commit ec30d78c14a813db39a647b6a348b4286 ("xfrm: add xdst pcpu cache"). > The

Re: [RFC PATCH 0/5] Add SELinux SCTP protocol support

2017-10-31 Thread Marcelo Ricardo Leitner
On Tue, Oct 17, 2017 at 02:53:59PM +0100, Richard Haines wrote: > This patch set adds SELinux support to SCTP and incorporates all the > comments received from my previous attemps (thanks to all who responded). > There are also other changes mainly supporting ip options so that CIPSO > and CALIPSO

Re: [RFC PATCH 1/5] security: Add support for SCTP security hooks

2017-10-31 Thread Marcelo Ricardo Leitner
On Tue, Oct 17, 2017 at 03:02:47PM +0100, Richard Haines wrote: > The SCTP security hooks are explained in: > Documentation/security/LSM-sctp.txt > > Signed-off-by: Richard Haines > --- > Documentation/security/LSM-sctp.txt | 212 >

Re: [RFC PATCH] xfrm: fix regression introduced by xdst pcpu cache

2017-10-31 Thread Florian Westphal
Stephen Smalley wrote: > It is a regression; the correct SA was being used prior to the xdst > pcpu cache commit. I don't doubt that at all. I would like to understand why the flow cache did not have this problem. > easily run on a Fedora VM, > git clone

Re: [RFC v0.1][PATCH] selinuxns: extend namespace support to security.selinux xattrs

2017-10-31 Thread Stephen Smalley
On Tue, 2017-10-31 at 09:00 -0400, Stephen Smalley wrote: > On Tue, 2017-10-31 at 14:11 +1100, James Morris wrote: > > On Mon, 30 Oct 2017, Stephen Smalley wrote: > > > > > Thanks, interesting approach. One drawback is that it doesn't > > > presently > > > support any form of inheritance of

Re: [RFC PATCH] xfrm: fix regression introduced by xdst pcpu cache

2017-10-31 Thread Stephen Smalley
On Tue, 2017-10-31 at 09:43 -0400, Stephen Smalley wrote: > On Tue, 2017-10-31 at 12:11 +0100, Florian Westphal wrote: > > Stephen Smalley wrote: > > > Since 4.14-rc1, the selinux-testsuite has been encountering > > > sporadic > > > failures during testing of labeled IPSEC.

Re: [RFC PATCH] xfrm: fix regression introduced by xdst pcpu cache

2017-10-31 Thread Stephen Smalley
On Tue, 2017-10-31 at 12:11 +0100, Florian Westphal wrote: > Stephen Smalley wrote: > > Since 4.14-rc1, the selinux-testsuite has been encountering > > sporadic > > failures during testing of labeled IPSEC. git bisect pointed to > > commit ec30d78c14a813db39a647b6a348b4286

Re: [RFC v0.1][PATCH] selinuxns: extend namespace support to security.selinux xattrs

2017-10-31 Thread Stephen Smalley
On Tue, 2017-10-31 at 14:11 +1100, James Morris wrote: > On Mon, 30 Oct 2017, Stephen Smalley wrote: > > > Thanks, interesting approach. One drawback is that it doesn't > > presently > > support any form of inheritance of labels from the parent > > namespace, so > > files that are shared

Re: [RFC PATCH] xfrm: fix regression introduced by xdst pcpu cache

2017-10-31 Thread Florian Westphal
Stephen Smalley wrote: > Since 4.14-rc1, the selinux-testsuite has been encountering sporadic > failures during testing of labeled IPSEC. git bisect pointed to > commit ec30d78c14a813db39a647b6a348b4286 ("xfrm: add xdst pcpu cache"). > The xdst pcpu cache is only checking that