On 04/11/2018 05:26 AM, Vit Mojzis wrote:
> This allows sepolgen to generate policy from AVC messages that contain
> contexts translated by mcstrans.
>
> Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1356149
Not friendly to cite a non-public bugzilla.
>
> Signed-off-by: Vit Mojzis
On 04/12/2018 11:07 AM, Stephen Smalley wrote:
> On 04/12/2018 06:26 AM, Vit Mojzis wrote:
>> Commit 8702a865e08b5660561e194a83e4a363061edc03 causes file mode of
>> seusers and users_extra to change based on the value defined in config
>> file whenever direct_commit
On 04/12/2018 04:03 PM, Petr Lautrbach wrote:
> On Thu, Apr 12, 2018 at 01:22:40PM -0400, Stephen Smalley wrote:
>> On 04/12/2018 11:07 AM, Stephen Smalley wrote:
>>> On 04/12/2018 06:26 AM, Vit Mojzis wrote:
>>>> Commit 8702a865e08b5660561e194a83e4a363061edc03 ca
t;selinux: wrap selinuxfs state")
Reported-by: Tetsuo Handa <penguin-ker...@i-love.sakura.ne.jp>
Reported-by: Dmitry Vyukov <dvyu...@google.com>
Signed-off-by: Stephen Smalley <s...@tycho.nsa.gov>
---
security/selinux/selinuxfs.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/s
On 04/12/2018 06:26 AM, Vit Mojzis wrote:
> Commit 8702a865e08b5660561e194a83e4a363061edc03 causes file mode of
> seusers and users_extra to change based on the value defined in config
> file whenever direct_commit is called and policy is not rebuilt.
> (e.g. when setting a boolean).
>
> Fixes:
Hi,
We are looking at making a 2.8-rc1 selinux userspace release in the
not-too-distant future,
so if you have any additional patches you want included in 2.8, please post
them to the list soon.
Thanks.
On 04/18/2018 04:01 PM, Stephen Smalley wrote:
> On 04/18/2018 03:40 PM, Jaap wrote:
>>
>> selinux crashes always at startup. problem is always reported (says selinux)
>> But it does not get better.
>
> None of the SELinux messages you showed are errors. The
On 04/18/2018 03:40 PM, Jaap wrote:
>
> selinux crashes always at startup. problem is always reported (says selinux)
> But it does not get better.
None of the SELinux messages you showed are errors. They are just
informational, and the message "the above unknown
classes and permissions will
On 04/13/2018 08:40 PM, William Roberts wrote:
> In general this series looks fine.
>
> However, checkpatch.pl is complaining about DOS line endings in your patches:
>
> For example:
> ERROR: DOS line endings
> #325: FILE: libselinux/src/label_file.h:281:
> +^I^Iint alloc_stems =
nd userspace permission
denials (USER_AVC) since boot. You can use other start time values (e.g.
recent, today, ...) and other selectors to control exactly what is reported.
>
>
> On 04/18/2018 10:04 PM, Stephen Smalley wrote:
>> On 04/18/2018 04:01 PM, Stephen Smalley wrote:
Richard Haines via Selinux (1):
selinux: Add support for the SCTP portcon keyword
Stephen Smalley (4):
checkpolicy,libselinux,libsepol,policycoreutils: Update my email address
semodule-utils: remove semodule_deps
libsepol: Export sepol_polcap_getnum/name functions
Update
On 04/20/2018 08:31 AM, Petr Lautrbach wrote:
> On Thu, Apr 19, 2018 at 11:07:39AM -0400, Stephen Smalley wrote:
>> A 2.8-rc1 release candidate for the SELinux userspace is now available at:
>> https://github.com/SELinuxProject/selinux/wiki/Releases
>>
>> Please giv
On 04/20/2018 09:31 AM, Petr Lautrbach wrote:
> On Fri, Apr 20, 2018 at 08:49:41AM -0400, Stephen Smalley wrote:
>> On 04/20/2018 08:31 AM, Petr Lautrbach wrote:
>>> On Thu, Apr 19, 2018 at 11:07:39AM -0400, Stephen Smalley wrote:
>>>> A 2.8-rc1 release candidate fo
This reverts commit 814631d3aebaa041073a42c677c1ed62ce7830d5.
As reported by Petr Lautrbach, this commit changed the behavior
of selabel_open() when SELABEL_OPT_VALIDATE is 0, and this would
be an API change.
Reported-by: Petr Lautrbach <plaut...@redhat.com>
Signed-off-by: Stephen Smal
On 04/25/2018 10:11 AM, Yuli Khodorkovskiy wrote:
> On Fri, Apr 20, 2018 at 10:09 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote:
>> On 04/20/2018 09:31 AM, Petr Lautrbach wrote:
>>> On Fri, Apr 20, 2018 at 08:49:41AM -0400, Stephen Smalley wrote:
>>>> On 04/20
On 04/24/2018 11:22 AM, David Howells wrote:
> Stephen Smalley <s...@tycho.nsa.gov> wrote:
>
>> Neither fsopen() nor fscontext_fs_write() appear to perform any kind of
>> up-front permission checking (DAC or MAC), although some security hooks may
>> be ultimately
On 04/20/2018 11:35 AM, David Howells wrote:
> Paul Moore wrote:
>
>> Adding the SELinux mailing list to the CC line; in the future please
>> include the SELinux mailing list on patches like this. It would also
>> be very helpful to include "selinux" somewhere in the
On 04/23/2018 09:30 AM, David Herrmann wrote:
> Make sure to implement the new unix_stream_socketpair callback so the
> SO_PEERSEC call on socketpair(2)s will return correct information.
>
> Signed-off-by: David Herrmann <dh.herrm...@gmail.com>
Acked-by: Stephen Smalley &
The selinux namespace work has been rebased on top of the latest selinux/next
branch, which in turn is now 4.17-rc1 based.
As before, it can be found at:
https://github.com/stephensmalley/selinux-kernel/tree/selinuxns
As a reminder, this is still highly experimental and has a number of known
On 03/29/2018 11:48 AM, Yuli Khodorkovskiy wrote:
>
>
> On Thu, Mar 29, 2018 at 9:49 AM, Stephen Smalley <s...@tycho.nsa.gov
> <mailto:s...@tycho.nsa.gov>> wrote:
>
> On 03/28/2018 11:40 PM, Yuli Khodorkovskiy wrote:
> > Keep track o
On 03/29/2018 02:29 PM, Stephen Smalley wrote:
> On 03/29/2018 01:57 PM, valdis.kletni...@vt.edu wrote:
>> Seeing this error trying to mount ext4 disks. next-20180320 was OK.
>>
>> SELinux: (dev dm-3, type ext4) getxattr errno 34
>>
>> and for /var, it refused
On 03/29/2018 01:57 PM, valdis.kletni...@vt.edu wrote:
> Seeing this error trying to mount ext4 disks. next-20180320 was OK.
>
> SELinux: (dev dm-3, type ext4) getxattr errno 34
>
> and for /var, it refused to mount entirely (which brought the boot
> process to a screeching halt).
>
> git log
On 03/28/2018 11:40 PM, Yuli Khodorkovskiy wrote:
> In permissive mode, calling restorecon with a bad label in file_contexts
> does not verify the label's existence in the loaded policy. This
> results in any label successfully applying to a file, as long as the
> file exists.
>
> This issue has
On 03/19/2018 07:08 AM, Vit Mojzis wrote:
> From: Vit Mojzis
>
> Unify behaviour for all module actions.
> The same behaviour is already present for -i/-u/-r/-e switches.
>
> Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1545218
I've put up a PR for this one
On 03/25/2018 03:34 PM, Yuli Khodorkovskiy wrote:
> In permissive mode, calling restorecon with a bad label in file_contexts
> does not verify the label's existence in the loaded policy. This
> results in any label successfully applying to a file, as long as the
> file exists.
>
> This issue has
On 03/28/2018 11:40 PM, Yuli Khodorkovskiy wrote:
> Keep track of line numbers for each file context in
> selabel_handle. If an error occurs in selabel_fini(), the
> line number of an invalid file context is echoed to the user.
>
> Signed-off-by: Yuli Khodorkovskiy
> ---
>
If security_get_bools/classes are called before the selinux state is
initialized (i.e. before first policy load), then they should just
return immediately with no booleans/classes.
Signed-off-by: Stephen Smalley <s...@tycho.nsa.gov>
---
security/selinux/ss/services.c | 13 +
On 03/19/2018 10:29 PM, Joe Kirwin wrote:
> *_Empirical Observations _*
> *
> *
> If I was to create an SELinux policy containing the following file_contexts
> (fruits.fc)
> ```
> /apple/orange/.* --
> gen_context(system_u:object_r:atype_t,s0)
> /banana/.*
On 03/21/2018 07:58 AM, Laurent Bigonville wrote:
> Hello,
>
> Could somebody have a quick look at the two patches that I opened for two
> dbus bugs:
>
> https://bugs.freedesktop.org/show_bug.cgi?id=92831 (stop using avc_init())
>
> https://bugs.freedesktop.org/attachment.cgi?id=138021 (stop
On 03/23/2018 09:14 AM, Stephen Smalley wrote:
> On 03/23/2018 08:44 AM, Laurent Bigonville wrote:
>> Le 23/03/18 à 13:26, Stephen Smalley a écrit :
>>> On 03/23/2018 06:31 AM, Laurent Bigonville wrote:
>>>> Le 22/03/18 à 17:09, Stephen Smalley a écrit :
>>
On 03/23/2018 08:44 AM, Laurent Bigonville wrote:
> Le 23/03/18 à 13:26, Stephen Smalley a écrit :
>> On 03/23/2018 06:31 AM, Laurent Bigonville wrote:
>>> Le 22/03/18 à 17:09, Stephen Smalley a écrit :
>>>> On 03/21/2018 07:58 AM, Laurent Bigonville wrote:
>>&
On 03/23/2018 06:31 AM, Laurent Bigonville wrote:
> Le 22/03/18 à 17:09, Stephen Smalley a écrit :
>> On 03/21/2018 07:58 AM, Laurent Bigonville wrote:
>>> Hello,
>>>
>>> Could somebody have a quick look at the two patches that I opened for two
>>> db
-off-by: Stephen Smalley <s...@tycho.nsa.gov>
---
security/selinux/avc.c | 284 ++---
security/selinux/hooks.c| 398
security/selinux/include/avc.h | 32 ++-
security/selinux/include/avc_ss.h
-by: Stephen Smalley <s...@tycho.nsa.gov>
---
security/selinux/selinuxfs.c | 472 +
security/selinux/ss/services.c | 13 ++
2 files changed, 307 insertions(+), 178 deletions(-)
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
On 03/02/2018 01:49 PM, Chris PeBenito wrote:
> I've been able to make SETools dynamically link to libsepol. However,
> one challenge is with policycap names. They're static libsepol, with
> nothing that exports them. Can we either:
>
> * export the sepol_polcap_getname() function, or
> * move
On 02/22/2018 08:29 AM, Vit Mojzis wrote:
> "Edit" and "add" dialogues weren't closed after successful transaction
> ("add" and "edit" methods return "None" if successful).
I see the bug, but the behavior after applying the patch also seems to
be wrong:
Traceback (most recent call last):
File
On 02/23/2018 11:57 PM, Yuli Khodorkovskiy wrote:
> Since Darwin systems do not have GNU sed installed, the Darwin sed is
> missing the "regexp-extended" flag needed to modify the secilc markdown
> files before processing with pandoc.
>
> A quick fix for Mac users is to `brew install gnu-sed` and
On 02/22/2018 08:33 AM, Vit Mojzis wrote:
> Fix command line arguments and description in man page.
>
> Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1334834
>
> Signed-off-by: Vit Mojzis
Thanks, applied.
> ---
> semodule-utils/semodule_package/semodule_unpackage.8 |
On 02/18/2018 05:21 PM, Lee Stubbs wrote:
> ---
> python/semanage/semanage-bash-completion.sh | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/python/semanage/semanage-bash-completion.sh
> b/python/semanage/semanage-bash-completion.sh
> index 6b53292..2d811c9 100644
> ---
On 02/28/2018 04:53 AM, Dominick Grift wrote:
> On Wed, Feb 28, 2018 at 10:27:08AM +0100, Dominick Grift wrote:
>> Since Linux 4.16 (to atleast RC2) user space started to excessively trigger
>> cap_sys_module
>>
>> Here is one example of such and event:
>>
>> type=SYSCALL msg=audit(02/27/2018
On 02/28/2018 08:53 AM, Stephen Smalley wrote:
> On 02/28/2018 04:53 AM, Dominick Grift wrote:
>> On Wed, Feb 28, 2018 at 10:27:08AM +0100, Dominick Grift wrote:
>>> Since Linux 4.16 (to atleast RC2) user space started to excessively trigger
>>> cap_sys_module
On 09/26/2018 04:34 PM, Casey Schaufler wrote:
From: Casey Schaufler
A ptrace access check with mode PTRACE_MODE_SCHED gets called
from process switching code. This precludes the use of audit or avc,
as the locking is incompatible. The only available check that
can be made without using avc is
k
Acked-by: Stephen Smalley
---
libsepol/src/policydb.c | 14 ++
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c
index a6d76ca3..dc201e2f 100644
--- a/libsepol/src/policydb.c
+++ b/libsepol/src/policydb.c
@@ -2830,1
>my_module.cil <
Cc: Eli Cohen
Cc: James Morris
Cc: Doug Ledford
Cc: # 4.13+
Fixes: a806f7a1616f ("selinux: Create policydb version for Infiniband support")
Signed-off-by: Ondrej Mosnacek
Acked-by: Stephen Smalley
---
security/selinux/ss/policydb.c | 41 ++
On 10/18/2018 03:47 AM, Ondrej Mosnacek wrote:
Do the LE conversions before doing the Infiniband-related range checks.
The incorrect checks are otherwise causing a failure to load any policy
with an ibendportcon rule on BE systems. This can be reproduced by
running (on e.g. ppc64):
cat
On 10/17/2018 05:18 PM, Paul Moore wrote:
On Wed, Oct 17, 2018 at 12:07 PM William Roberts
wrote:
On Wed, Oct 17, 2018 at 7:48 AM Ondrej Mosnacek wrote:
We need to convert from little-endian before dong range checks on the
ibpkey port numbers, otherwise we would be checking a wrong value.
On 10/16/2018 03:09 AM, Ondrej Mosnacek wrote:
Add missing LE conversions to the Infiniband-related range checks. These
were causing a failure to load any policy with an ibendportcon rule on
BE systems. This can be reproduced by running:
cat >my_module.cil <
Cc: Eli Cohen
Cc: James Morris
Cc:
On 10/10/2018 07:57 AM, Ville Baillie wrote:
Hi,
Does SELinux provide any sort of mechanism for blocking exec on commands
based on their command line arguments?
The proposed use case goes a little like this, allow 'wget' to access
'http://good-server-1/*' and 'http://good-server-2/*' but block
On 10/23/2018 09:33 AM, Ted Toth wrote:
Is it possible to modify/replace an existing mlsconstrain? In playing
around I created multiple instances of a mlsconstrain and variations of
mlsconstrains but haven't figured out how to clean them up as I get
"Error: Unknown keyword delete' when trying
>my_module.cil <
Cc: Eli Cohen
Cc: James Morris
Cc: Doug Ledford
Cc: # 4.13+
Fixes: a806f7a1616f ("selinux: Create policydb version for Infiniband support")
Signed-off-by: Ondrej Mosnacek
Acked-by: Stephen Smalley
---
security/selinux/ss/policydb.c | 51 ++
On 10/23/2018 09:56 AM, Ted Toth wrote:
On Tue, Oct 23, 2018 at 8:39 AM Stephen Smalley <mailto:s...@tycho.nsa.gov>> wrote:
On 10/23/2018 09:33 AM, Ted Toth wrote:
> Is it possible to modify/replace an existing mlsconstrain? In
playing
> around I created mul
On 10/31/2018 08:27 AM, Ondrej Mosnacek wrote:
This patch separates the lookup of the initial SIDs into a separate
lookup table (implemented simply by a fixed-size array), in order to
pave the way for improving the process of converting the sidtab to a new
policy during a policy reload.
The
On 10/31/2018 08:27 AM, Ondrej Mosnacek wrote:
Before this patch, during a policy reload the sidtab would become frozen
and trying to map a new context to SID would be unable to add a new
entry to sidtab and fail with -ENOMEM.
Such failures are usually propagated into userspace, which has no
On 10/31/2018 04:31 PM, Stephen Smalley wrote:
We'd like to
replace the policy rwlock with RCU at some point; there is a very old
patch that tried to do that once before, which eliminated the policy
write lock altogether (policy switch became a single pointer update),
but no one has yet taken
Hi,
As a reminder, the selinux mailing list has moved to vger.kernel.org.
If you wish to continue following the list, please subscribe by sending
a plaintext message containing "subscribe selinux" in the body to
majord...@vger.kernel.org. Be advised that vger.kernel.org does not
accept HTML
On 11/6/18 9:33 AM, Ishara Fernando wrote:
Dear all ,
I have been trying to test and see how SELinux MLS works with Apache ,
this is what I did to test
*1) As we're aware if we start apache process as the default SELinux
user (i.e: Just as root user) , it will obtain a security context
On 11/8/18 8:33 AM, Ishara Fernando wrote:
Dear Stephen ,
Many thanks for the detailed information , it has been very useful .
Infact I have tested your steps in a similar environment (CentOS 6.10 ,
see versions below) as of yours in a Virtual machine based on
Virtualbox , I have reached to
On 11/13/18 8:52 AM, Ondrej Mosnacek wrote:
This patch is non-functional and moves handling of initial SIDs into a
separate table. Note that the SIDs stored in the main table are now
shifted by SECINITSID_NUM and converted to/from the actual SIDs
transparently by helper functions.
When you say
On 11/15/18 8:11 AM, Ondrej Mosnacek wrote:
On Mon, Nov 12, 2018 at 7:56 AM Ravi Kumar wrote:
Hi team ,
On android- with latest kernels 4.14 we are seeing some denials which seem to
be very much genuine to be address . Where kernel is trying to kill its own
created process ( might be for
On 11/15/18 9:42 AM, Stephen Smalley wrote:
On 11/15/18 8:11 AM, Ondrej Mosnacek wrote:
On Mon, Nov 12, 2018 at 7:56 AM Ravi Kumar wrote:
Hi team ,
On android- with latest kernels 4.14 we are seeing some denials
which seem to be very much genuine to be address . Where kernel is
trying
On 11/14/18 10:23 AM, Stephen Smalley wrote:
On 11/13/18 10:14 PM, Paul Moore wrote:
On Tue, Nov 13, 2018 at 4:10 PM Stephen Smalley
wrote:
On 11/12/18 6:44 AM, Ondrej Mosnacek wrote:
This function has only two callers, but only one of them actually needs
the special logic at the beginning
On 11/13/18 10:14 PM, Paul Moore wrote:
On Tue, Nov 13, 2018 at 4:10 PM Stephen Smalley wrote:
On 11/12/18 6:44 AM, Ondrej Mosnacek wrote:
This function has only two callers, but only one of them actually needs
the special logic at the beginning. Factoring this logic out
On 11/7/18 2:04 AM, Ishara Fernando wrote:
Thanks Stephen , so below are the details of my SELinux setup
*Centos Version* : CentOS release 6.2 (Final)
*Kernel version* : 2.6.32-220.el6.x86_64
*RPM package* : selinux-policy-mls-3.7.19-312.el6.noarch
That's quite old. Any particular reason
On 11/14/18 4:45 AM, Ondrej Mosnacek wrote:
On Tue, Nov 13, 2018 at 10:35 PM Stephen Smalley wrote:
On 11/13/18 8:52 AM, Ondrej Mosnacek wrote:
This patch is non-functional and moves handling of initial SIDs into a
separate table. Note that the SIDs stored in the main table are now
shifted
On 11/12/18 6:44 AM, Ondrej Mosnacek wrote:
This function has only two callers, but only one of them actually needs
the special logic at the beginning. Factoring this logic out into
string_to_context_struct() allows us to drop the arguments 'oldc', 's',
and 'def_sid'.
Signed-off-by: Ondrej
On 11/13/18 8:52 AM, Ondrej Mosnacek wrote:
This is a purely cosmetic change that encapsulates the three-step sidtab
conversion logic (shutdown -> clone -> map) into a single function
defined in sidtab.c (as opposed to services.c).
Signed-off-by: Ondrej Mosnacek
Acked-by: Stephen S
On 10/03/2018 11:52 AM, Paul Moore wrote:
The overlayfs tests require setfattr and getfattr which are part of
the attr package in Fedora.
Signed-off-by: Paul Moore
Acked-by: Stephen Smalley
---
README.md |4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git
On 09/30/2018 10:43 AM, Chris PeBenito wrote:
On 09/11/2018 04:20 PM, Stephen Smalley wrote:
On 09/11/2018 03:04 PM, Joe Nall wrote:
On Sep 11, 2018, at 1:29 PM, Stephen Smalley wrote:
On 09/11/2018 10:41 AM, Stephen Smalley wrote:
On 09/10/2018 06:30 PM, Ted Toth wrote:
mcstrans
On 10/02/2018 11:58 AM, Al Viro wrote:
On Tue, Oct 02, 2018 at 01:18:30PM +0200, Ondrej Mosnacek wrote:
No. With the side of Hell, No. The bug is real, but this is
not the way to fix it.
First of all, it's still broken - e.g. mount something on a
subdirectory and watch what that thing will
Hi,
The selinux mailing list is moving to vger.kernel.org.
If you wish to continue following the list, please subscribe by sending
a plaintext message containing "subscribe selinux" in the body to
majord...@vger.kernel.org.
Going forward, mailing list archiving is being provided by lore, see
On 10/02/2018 02:48 PM, Taras Kondratiuk wrote:
Quoting Stephen Smalley (2018-09-21 07:40:58)
If we set the inode sid to the superblock def_sid on an invalid
context, then we lose the association to the original context value.
The support for deferred mapping of contexts requires allocating
Signed-off-by: Stephen Smalley
---
README | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/README b/README
index 174551a1..1c009b01 100644
--- a/README
+++ b/README
@@ -1,5 +1,6 @@
-Please submit all bug reports and patches to selinux@tycho.nsa.gov.
-Subscribe via selinux
On 08/29/2018 12:58 AM, Paul Moore wrote:
On Tue, Aug 28, 2018 at 5:32 PM Micah Morton wrote:
The security_sb_copy_data LSM hook allows LSMs to copy custom string
name/value args passed to mount_fs() into a temporary buffer (called
"secdata") that will be accessible to LSM code during the
On 09/20/2018 06:59 PM, Taras Kondratiuk wrote:
Quoting Stephen Smalley (2018-09-20 07:49:12)
On 09/19/2018 10:41 PM, Taras Kondratiuk wrote:
Quoting Stephen Smalley (2018-09-19 12:00:33)
On 09/19/2018 12:52 PM, Taras Kondratiuk wrote:
When files on NFSv4 server are not properly labeled
On 09/23/2018 01:09 PM, Casey Schaufler wrote:
On 9/23/2018 8:59 AM, Tetsuo Handa wrote:
On 2018/09/23 11:43, Kees Cook wrote:
I'm excited about getting this landed!
Soon. Real soon. I hope. I would very much like for
someone from the SELinux camp to chime in, especially on
the
y to use selinux_restorecon")
Reported-by: sajjad ahmed
Signed-off-by: Stephen Smalley
Cc: Richard Haines
---
libselinux/src/selinux_restorecon.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/libselinux/src/selinux_restorecon.c
b/libselinux/src/selinux_restorecon.c
index 41f22
On 09/26/2018 09:55 AM, sajjad ahmed via Selinux wrote:
Hi all,
I'm trying to use the setfiles utility (v 2.7) from policycoreutils to
label rootfs, it seems like setfiles exclude all the directories
straight away and labels nothing. I tried an older version (< 2.6) that
works fine. I'm
On 09/26/2018 10:18 AM, Stephen Smalley wrote:
On 09/26/2018 09:55 AM, sajjad ahmed via Selinux wrote:
Hi all,
I'm trying to use the setfiles utility (v 2.7) from policycoreutils to
label rootfs, it seems like setfiles exclude all the directories
straight away and labels nothing. I tried
On Wed, Sep 26, 2018, 4:35 PM Casey Schaufler
wrote:
> From: Casey Schaufler
>
> A ptrace access check with mode PTRACE_MODE_SCHED gets called
> from process switching code. This precludes the use of audit or avc,
> as the locking is incompatible. The only available check that
> can be made
On 09/19/2018 10:41 PM, Taras Kondratiuk wrote:
Quoting Stephen Smalley (2018-09-19 12:00:33)
On 09/19/2018 12:52 PM, Taras Kondratiuk wrote:
When files on NFSv4 server are not properly labeled (label doesn't match
a policy on a client) they will end up with unlabeled_t type which is
too
On 09/19/2018 12:52 PM, Taras Kondratiuk wrote:
When files on NFSv4 server are not properly labeled (label doesn't match
a policy on a client) they will end up with unlabeled_t type which is
too generic. We would like to be able to set a default context per
mount. 'defcontext' mount option looks
On 09/19/2018 03:21 PM, William Roberts wrote:
Some people might be checking this output since it's been there so long,
-s would be a good way to go.
Alternatively, a way to bring back this information via a verbose option
-V could
be considered.
Either way, a simple logging mechanism
On 09/19/2018 03:41 PM, William Roberts wrote:
On Wed, Sep 19, 2018 at 12:36 PM Stephen Smalley <mailto:s...@tycho.nsa.gov>> wrote:
On 09/19/2018 03:21 PM, William Roberts wrote:
> Some people might be checking this output since it's been there
so long,
> -s
On 09/21/2018 04:50 AM, Benjamin Schüle wrote:
Hello,
just found a bug in selinux. It appears on ubuntu 16.04 with kernel
4.15, but not with kernel 4.4.
What's going wrong:
Copy a link with "-a" option while selinux is on.
steps to reproduce:
~$ mkdir -p a/b
~$ ln -s b a/c
~$ cp
On 09/25/2018 01:45 AM, Taras Kondratiuk wrote:
Quoting Paul Moore (2018-09-24 20:46:57)
On Fri, Sep 21, 2018 at 10:39 AM Stephen Smalley wrote:
On 09/20/2018 06:59 PM, Taras Kondratiuk wrote:
Quoting Stephen Smalley (2018-09-20 07:49:12)
On 09/19/2018 10:41 PM, Taras Kondratiuk wrote
On 09/25/2018 12:03 PM, Paul Moore wrote:
On Tue, Sep 25, 2018 at 9:58 AM Stephen Smalley wrote:
On 09/25/2018 01:45 AM, Taras Kondratiuk wrote:
Quoting Paul Moore (2018-09-24 20:46:57)
On Fri, Sep 21, 2018 at 10:39 AM Stephen Smalley wrote:
On 09/20/2018 06:59 PM, Taras Kondratiuk wrote
Hi,
As a reminder, the selinux mailing list has moved to vger.kernel.org.
If you wish to continue following the list, please subscribe by sending
a plaintext message containing "subscribe selinux" in the body to
majord...@vger.kernel.org. Be advised that vger.kernel.org does not
accept HTML
Hi,
As a reminder, the selinux mailing list has moved to vger.kernel.org.
If you wish to continue following the list, please subscribe by
sending a plaintext message containing "subscribe selinux" in the body
to majord...@vger.kernel.org. Be advised that vger.kernel.org does not
accept HTML
On 09/11/2018 12:53 PM, Joshua Brindle wrote:
On Tue, Sep 11, 2018 at 10:41 AM, Stephen Smalley wrote:
On 09/10/2018 06:30 PM, Ted Toth wrote:
mcstrans mcscolor.c also uses the same logic I'd been using to check
dominance so this too will no longer function as expected on el7. Do you any
. However, if you define a class/permission
in a .cil module, you can certainly specify a require on it and use it
from a conventional .te/.if module, ala:
$ cat > usemcstrans.te <On Tue, Sep 11, 2018 at 2:27 PM Stephen Smalley <mailto:s...@tycho.nsa.gov>> wrote:
On 09/11/2018 02:
On 09/11/2018 10:41 AM, Stephen Smalley wrote:
On 09/10/2018 06:30 PM, Ted Toth wrote:
mcstrans mcscolor.c also uses the same logic I'd been using to check
dominance so this too will no longer function as expected on el7. Do
you any suggestions for doing a 'generic' (one not tied to a specific
On 09/11/2018 01:39 PM, Joshua Brindle wrote:
On Tue, Sep 11, 2018 at 1:33 PM, Stephen Smalley wrote:
On 09/11/2018 12:53 PM, Joshua Brindle wrote:
On Tue, Sep 11, 2018 at 10:41 AM, Stephen Smalley
wrote:
On 09/10/2018 06:30 PM, Ted Toth wrote:
mcstrans mcscolor.c also uses the same
On 09/11/2018 03:29 PM, Stephen Smalley wrote:
On 09/11/2018 02:49 PM, Ted Toth wrote:
Yes I too noticed the translate permission but couldn't find any info
related to it intended purpose. Regarding CIL unfortunately I have
zero experience with it but I've installed the compiler and started
this:
$ cat > mcstrans.cil <Then try performing permission checks with "mcstrans" as your class and
"color_use" as your permission, between a domain and itself, with
different levels.
On Tue, Sep 11, 2018 at 1:27 PM Stephen Smalley <mailto:s...@tycho.nsa.gov>&g
On 09/11/2018 03:04 PM, Joe Nall wrote:
On Sep 11, 2018, at 1:29 PM, Stephen Smalley wrote:
On 09/11/2018 10:41 AM, Stephen Smalley wrote:
On 09/10/2018 06:30 PM, Ted Toth wrote:
mcstrans mcscolor.c also uses the same logic I'd been using to check dominance
so this too will no longer
1101 - 1195 of 1195 matches
Mail list logo