On Wed, 2017-10-18 at 19:30 -0700, William Roberts wrote:
> On Tue, Oct 17, 2017 at 12:50 PM, Stephen Smalley
> wrote:
> > On Tue, 2017-10-17 at 11:49 -0700, William Roberts wrote:
> > > On Sun, Oct 15, 2017 at 5:10 AM, Nicolas Iooss > > .org
> > > > wrot
arted the job, and it failed again in the same way (but on
different cases). Then I restarted it a third time, and this time it
ran to completion. This seems problematic; we likely need to
reconsider any use of curl from the travis.yml file.
>
>
>
>
> On Tue, Oct 24, 2017 at
On Tue, 2017-10-24 at 23:00 +0200, Nicolas Iooss wrote:
> On Tue, Oct 24, 2017 at 10:20 PM, William Roberts
> wrote:
> > On Oct 24, 2017 13:05, "Stephen Smalley" wrote:
> >
> > On Tue, 2017-10-24 at 09:26 -0700, William Roberts wrote:
> > > Error 52,
relax the checking somewhat based on testing a wider range of
older kernels.
Signed-off-by: Stephen Smalley
---
tests/inet_socket/client.c | 20 ++--
tests/inet_socket/test | 24
2 files changed, 22 insertions(+), 22 deletions(-)
diff --git a/tests/i
f-by: Matthew Garrett
> Acked-by: Paul Moore
> Cc: Paul Moore
> Cc: Stephen Smalley
> Cc: Eric Paris
> Cc: selinux@tycho.nsa.gov
> Cc: Casey Schaufler
> Cc: linux-security-mod...@vger.kernel.org
> Cc: Mimi Zohar
> Cc: Dmitry Kasatkin
> Cc: linux-integr...@v
Trivial reformatting via tools/check-syntax -f.
Noticed it when I ran it to fix up the inet_socket/test script
after the changes in the preceding commit and it also fixed this one.
Signed-off-by: Stephen Smalley
---
tests/nnp_nosuid/test | 2 +-
1 file changed, 1 insertion(+), 1 deletion
quot;)
Signed-off-by: Stephen Smalley
---
Sending this as an RFC to lsm and selinux for comments before sending it
to netdev. See https://github.com/SELinuxProject/selinux-kernel/issues/36
for earlier discussion about the bug.
net/xfrm/xfrm_policy.c | 2 ++
1 file changed, 2 insertions(+)
d
-testsuite; I used
it to confirm that we are not getting proper xfrm state selector
matching with the current xdst pcpu cache code and to test a possible fix.
Signed-off-by: Stephen Smalley
---
tests/inet_socket/ipsec-load | 7 +--
tests/inet_socket/test | 23 ++
try. With these changes,
the selinux-testsuite passes all tests again.
Fixes: ec30d78c14a813db39a647b6a348b4286ba4abf5 ("xfrm: add xdst pcpu cache")
Signed-off-by: Stephen Smalley
---
This is an RFC because I am not entirely confident in the fix, e.g. is it
sufficient to perform this
On Mon, 2017-10-30 at 10:57 +, Matthew Garrett via Selinux wrote:
> On Thu, Oct 26, 2017 at 3:20 PM, Stephen Smalley
> wrote:
> > On Thu, 2017-10-26 at 01:40 -0700, Matthew Garrett via Selinux
> > wrote:
> > > +static void selinux_cred_getsecid(const struc
On Mon, 2017-10-30 at 21:04 +1100, James Morris wrote:
> This is a proof-of-concept patch to demonstrate an approach to
> supporting
> SELinux namespaces for security.selinux xattr labels.
>
> This follows on from the experimental SELinux namespace code posted
> by
> Stephen: https://marc.info/?
On Tue, 2017-10-31 at 14:11 +1100, James Morris wrote:
> On Mon, 30 Oct 2017, Stephen Smalley wrote:
>
> > Thanks, interesting approach. One drawback is that it doesn't
> > presently
> > support any form of inheritance of labels from the parent
> > namespace
On Tue, 2017-10-31 at 12:11 +0100, Florian Westphal wrote:
> Stephen Smalley wrote:
> > Since 4.14-rc1, the selinux-testsuite has been encountering
> > sporadic
> > failures during testing of labeled IPSEC. git bisect pointed to
> > commit ec30d78c14a813db39a647b6a348
On Tue, 2017-10-31 at 09:43 -0400, Stephen Smalley wrote:
> On Tue, 2017-10-31 at 12:11 +0100, Florian Westphal wrote:
> > Stephen Smalley wrote:
> > > Since 4.14-rc1, the selinux-testsuite has been encountering
> > > sporadic
> > > failures during testing of
On Tue, 2017-10-31 at 09:00 -0400, Stephen Smalley wrote:
> On Tue, 2017-10-31 at 14:11 +1100, James Morris wrote:
> > On Mon, 30 Oct 2017, Stephen Smalley wrote:
> >
> > > Thanks, interesting approach. One drawback is that it doesn't
> > > presently
&g
On Wed, 2017-11-01 at 00:08 +0100, Florian Westphal wrote:
> Paul Moore wrote:
> > On Mon, Oct 30, 2017 at 10:58 AM, Stephen Smalley > v> wrote:
> > > matching before (as in this patch) or after calling
> > > xfrm_bundle_ok()?
> >
> > I would probabl
On Wed, 2017-11-01 at 17:40 +1100, James Morris wrote:
> On Tue, 31 Oct 2017, Stephen Smalley wrote:
>
> > This btw would be a bit cleaner if we dropped the .ns. portion of
> > the
> > name, such that we would have:
> > security.selinux # xattr name in the init name
On Wed, 2017-11-01 at 17:39 -0400, Paul Moore wrote:
> On Tue, Oct 31, 2017 at 7:08 PM, Florian Westphal
> wrote:
> > Paul Moore wrote:
> > > On Mon, Oct 30, 2017 at 10:58 AM, Stephen Smalley > > gov> wrote:
> > > > matching before (as in this patc
On Thu, 2017-11-02 at 14:19 +0100, Petr Lautrbach wrote:
> When SELinux is disabled, semanage without -N fails with a quite
> complicated
> error message when it tries to reload a new policy. Since reload in
> this case
> doesn't make sense, we should probably try to avoid that.
I haven't looked c
On Thu, 2017-11-02 at 15:17 +0100, Petr Lautrbach wrote:
> On Thu, Nov 02, 2017 at 09:52:25AM -0400, Stephen Smalley wrote:
> > On Thu, 2017-11-02 at 14:19 +0100, Petr Lautrbach wrote:
> > > When SELinux is disabled, semanage without -N fails with a quite
> > > complicat
ou have to allow apt_t to directly do anything dpkg_t can do,
2) Any files created by dpkg running under apt will be labeled
according to apt_t's type transition rules rather than dpkg_t's type
transition rules.
This may not matter much with your default policy (I don't know) but it
On Mon, 2017-11-13 at 17:45 +1100, James Morris wrote:
> On Tue, 31 Oct 2017, Stephen Smalley wrote:
>
> > This btw would be a bit cleaner if we dropped the .ns. portion of
> > the
> > name, such that we would have:
> > security.selinux # xattr name in the init name
On Mon, 2017-11-13 at 17:40 -0500, Paul Moore wrote:
> On Mon, Nov 13, 2017 at 5:05 PM, Richard Haines
> wrote:
> > On Mon, 2017-11-06 at 19:09 -0500, Paul Moore wrote:
> > > On Tue, Oct 17, 2017 at 9:59 AM, Richard Haines
> > > wrote:
> > > > The SELinux SCTP implementation is explained in:
> >
On Fri, 2017-11-17 at 08:09 -0500, James Carter wrote:
> Daniel Cashman discovered the following:
> When using cil_db multiple_decls, the different cil_attribute nodes
> all point to the same underlying cil_attribute struct. This leads
> to problems, though, when modifying the used value in the s
On Tue, 2017-11-21 at 20:49 +1100, James Morris wrote:
> This is an updated version of the patch which I first posted here:
>
> http://kernsec.org/pipermail/linux-security-module-archive/2017-Octob
> er/004053.html
>
> I've incorporated some of the feedback provided, as follows:
>
> 1. The init
On Fri, 2017-11-24 at 10:47 +0530, Aman Sharma wrote:
>
>
> Hi All,
>
> Currently Working on Cent OS 7.3 and login as a root User and my Id
> command output is :
>
> id
> uid=0(root) gid=0(root) groups=0(root)
> context=system_u:system_r:unconfined_t:s0-s0:c0.c1023
>
> I want to change System_
On Tue, 2017-11-21 at 15:19 +0100, Petr Lautrbach wrote:
> When a calling process uses umask(0) some files in the SELinux module
> store can be created to be world writeable. With this patch,
> libsemanage
> sets umask(0077) before fopen() operations and restores the original
> umask value when it'
selinux/targeted/active/modules/disabled
> -rw-rw-rw-.
> /var/lib/selinux/targeted/active/modules/disabled/zosremote
>
> Signed-off-by: Petr Lautrbach
Acked-by: Stephen Smalley
Queued for merge.
> ---
> libsemanage/src/database_file.c | 3 +++
> libsemanage/src/direct_ap
On Mon, 2017-11-27 at 19:32 +, Richard Haines wrote:
> The SELinux SCTP implementation is explained in:
> Documentation/security/SELinux-sctp.rst
>
> Signed-off-by: Richard Haines
> ---
> Documentation/security/SELinux-sctp.rst | 104
> security/selinux/hooks.c|
On Tue, 2017-11-28 at 14:39 -0500, Stephen Smalley wrote:
> On Mon, 2017-11-27 at 19:32 +, Richard Haines wrote:
> > The SELinux SCTP implementation is explained in:
> > Documentation/security/SELinux-sctp.rst
> >
> > Signed-off-by: Richard Haines
> > ---
&g
On Wed, 2017-11-29 at 09:33 +0530, Aman Sharma wrote:
> Hi Stephen,
>
> Below is the output of command :
>
> sestatus -v output
> SELinux status: enabled
> SELinuxfs mount: /sys/fs/selinux
> SELinux root directory: /etc/selinux
> Loaded policy name:
On Wed, 2017-11-29 at 17:19 +0530, Aman Sharma wrote:
> Hi All,
>
> During System boot up, I am running some semanage commands to change
> the User to sysadm_u. But in Cent OS 7.3 , Below error message is
> coming i.e. ValueError: Login mapping for __default__ is not
> defined.
>
> /usr/sbin/se
On Wed, 2017-11-29 at 08:56 -0500, Stephen Smalley wrote:
> On Wed, 2017-11-29 at 17:19 +0530, Aman Sharma wrote:
> > Hi All,
> >
> > During System boot up, I am running some semanage commands to
> > change
> > the User to sysadm_u. But in Cent OS 7.3 , Belo
s0 *
> system_u sysadm_u s0-s0:c0.c1023 *
>
> Please let me know if any comments are there.
>
> Thanks
> Aman
>
> On Wed, Nov 29, 2017 at 7:21 PM, Stephen Smalley
> wrote:
> > On Wed, 2017-11-29 at 09
On Wed, 2017-11-29 at 20:47 +0530, Aman Sharma wrote:
> Hi Stephen,
>
> I tried all the three command i.e.
> semanage export > localchanges
>
> semanage login -D
> semanage user -D
>
> Then I reboot the system and after reboot , still its showing the
> root User as Same id context i.e.
>
> id
s trying to effectively apply a "strict" policy, but
it was left in a broken state.
>
>
> On Wed, Nov 29, 2017 at 9:10 PM, Stephen Smalley
> wrote:
> > On Wed, 2017-11-29 at 20:47 +0530, Aman Sharma wrote:
> > > Hi Stephen,
> > >
> > >
On Wed, 2017-11-29 at 21:39 +0530, Aman Sharma wrote:
> Hi Stephen,
>
> After enabling the unconfined module and after reboot also, Still
> showing the same id context.
>
> Is there any way to make the id context to normal state again ?
Hmmm...try resetting all booleans too? semanage boolean -
On Wed, 2017-11-29 at 21:26 +1100, James Morris wrote:
> I'm seeing a kernel stack corruption bug (detected via gcc) when
> running
> the SELinux testsuite on a 4.15-rc1 kernel, in the 2nd inet_socket
> test:
>
> https://github.com/SELinuxProject/selinux-testsuite/blob/master/tests
> /inet_socket
Wed, Nov 29, 2017 at 9:50 PM, Stephen Smalley
> wrote:
> > On Wed, 2017-11-29 at 21:39 +0530, Aman Sharma wrote:
> > > Hi Stephen,
> > >
> > > After enabling the unconfined module and after reboot also, Still
> > > showing the same id context.
> >
On Wed, 2017-11-29 at 09:34 -0800, Eric Dumazet wrote:
> On Wed, Nov 29, 2017 at 9:31 AM, Stephen Smalley
> wrote:
> > On Wed, 2017-11-29 at 21:26 +1100, James Morris wrote:
> > > I'm seeing a kernel stack corruption bug (detected via gcc) when
> > > running
&g
On Fri, 2017-12-01 at 10:34 -0500, Paul Moore wrote:
> On Thu, Nov 30, 2017 at 6:44 PM, William Roberts
> wrote:
> > On Thu, Nov 30, 2017 at 8:52 AM, Paul Moore
> > wrote:
> > > From: Paul Moore
> > >
> > > The syzbot/syzkaller automated tests found a problem in
> > > security_context_to_sid_co
*uid=0(root) gid=0(root) groups=0(root)
> > > > context=system_u:system_r:unconfined_t:s0-s0:c0.c1023*
> > > > *[root@cucm2 ~]# id -Z*
> > > > *system_u:system_r:unconfined_t:s0-s0:c0.c1023*
> > > >
> > > > *And semanag
On Sun, 2017-12-03 at 20:33 +0900, Tetsuo Handa wrote:
> On 2017/12/02 3:52, syzbot wrote:
> > ==
> > BUG: KASAN: slab-out-of-bounds in strcmp+0x96/0xb0 lib/string.c:328
> > Read of size 1 at addr 8801cd99d2c1 by task
> > syzkaller
On Sat, 2017-12-02 at 09:29 +0530, Aman Sharma wrote:
> Hi All,
>
> Thanks for the information.
>
> But after resetting the semanage User/login, and moving the targeted
> folder to old one and then install the default target. then also its
> still showing the
> Id context as context=system_u:sys
On Mon, 2017-12-04 at 15:15 +0530, Aman Sharma wrote:
> Hi All,
>
> I am seeing a number of su core files after a fresh install of Cent
> OS 7 Machine. In this particular case I have 622 cores files found.
> The backtrace is given below
>
> Reading symbols from /usr/bin/su...Reading symbols from
On Mon, 2017-12-04 at 10:44 -0500, Stephen Smalley wrote:
> On Mon, 2017-12-04 at 15:15 +0530, Aman Sharma wrote:
> > Hi All,
> >
> > I am seeing a number of su core files after a fresh install of Cent
> > OS 7 Machine. In this particular case I have 622 cores files
On Mon, 2017-12-04 at 21:45 +0530, Aman Sharma wrote:
> Hi Stephen,
>
> sestatus -v
> SELinux status: enabled
> SELinuxfs mount: /sys/fs/selinux
> SELinux root directory: /etc/selinux
> Loaded policy name: targeted
> Current mode:
at wrong in your /etc/pam.d/sshd
file, so that if someone else encounters this behavior in the future,
they can find a solution in the list archives?
>
> On Mon, Dec 4, 2017 at 9:39 PM, Stephen Smalley
> wrote:
> > On Mon, 2017-12-04 at 21:31 +0530, Aman Sharma wrote:
> > >
On Mon, 2017-12-04 at 17:39 +0100, Dmitry Vyukov wrote:
> On Mon, Dec 4, 2017 at 2:59 PM, Paul Moore wrote:
> > > > > On 2017/12/02 3:52, syzbot wrote:
> > > > > > ===
> > > > > > ===
> > > > > > BUG: KASAN: slab-out-of-bounds in strcmp+0
sbin/sshd" hostname=10.97.7.209
> addr=10.97.7.209 terminal=ssh res=success'
>
> Please let me know if any comments are there.
Those are normal. Check journalctl and /var/log/secure for any errors
from sshd.
Also try the selinuxdefcon command I mentioned.
>
> On Mon, Dec
On Wed, 2017-12-13 at 09:25 +, yangjihong wrote:
> Hello,
>
> I am doing stressing testing on 3.10 kernel(centos 7.4), to
> constantly starting numbers of docker ontainers with selinux enabled,
> and after about 2 days, the kernel softlockup panic:
> [] sched_show_task+0xb8/0x120
> [] sho
On Tue, 2017-12-12 at 23:47 -0500, Aman Sharma wrote:
> Hi All,
>
> just wanted to know the meaning of line session required
> pam_selinux.so open env_params added in /etc/pam.d/sshd file.
> Actually I am facing one issue related to this. When I changed this
> env_params to restore then my
>
> On Wed, Dec 13, 2017 at 8:54 PM, Stephen Smalley
> wrote:
> > On Tue, 2017-12-12 at 23:47 -0500, Aman Sharma wrote:
> > > Hi All,
> > >
> > > just wanted to know the meaning of line session required
> > > pam_selinux.so open env_params
On Thu, 2017-12-14 at 03:19 +, yangjihong wrote:
> Hello,
>
> > So, does docker just keep allocating a unique category set for
> > every new container, never reusing them even if the container is
> > destroyed?
> > That would be a bug in docker IMHO. Or are you creating an
> > unbounded nu
On Thu, 2017-12-14 at 12:48 +0530, Aman Sharma wrote:
> Hi All,
>
> Below is the output of semanage USer command output for sftpuser:
>
> specialuser_u user s0 s0
> sysadm_r system_r
>
> and for command semanage login -l , output is :
>
> sftpuser
On Thu, 2017-12-14 at 08:18 -0800, Casey Schaufler wrote:
> On 12/13/2017 7:18 AM, Stephen Smalley wrote:
> > On Wed, 2017-12-13 at 09:25 +, yangjihong wrote:
> > > Hello,
> > >
> > > I am doing stressing testing on 3.10 kernel(centos 7.4), to
> &g
On Thu, 2017-12-14 at 09:00 -0800, Casey Schaufler wrote:
> On 12/14/2017 8:42 AM, Stephen Smalley wrote:
> > On Thu, 2017-12-14 at 08:18 -0800, Casey Schaufler wrote:
> > > On 12/13/2017 7:18 AM, Stephen Smalley wrote:
> > > > On Wed, 2017-12-13 at 09:25 +, yan
On Fri, 2017-12-15 at 03:09 +, yangjihong wrote:
> On 12/15/2017 10:31 PM, yangjihong wrote:
> > On 12/14/2017 12:42 PM, Casey Schaufler wrote:
> > > On 12/14/2017 9:15 AM, Stephen Smalley wrote:
> > > > On Thu, 2017-12-14 at 09:00 -0800, Casey Schaufler wrote:
&
On Mon, 2017-12-18 at 17:36 +, Arnold, Paul C CTR USARMY PEO STRI
(US) wrote:
> All,
>
> I am experiencing some issues using range_transition on objects when
> type_transition is also involved on the object. Specifically, a
> range_transition rule on a target object with a "final" type (e.g.
On Wed, 2017-12-13 at 13:16 +0100, Petr Lautrbach wrote:
> Commit 985753f changed behavior of seobject class constructors. While
> semanage itself was fixed, there are other tools like
> system-config-selinux and chcat which depend on the original
> behavior.
> This change make the constructors bac
On Sat, Dec 23, 2017 at 3:03 AM, Li Kun wrote:
> Hi all,
> When i start a docker container, the runc will call selinux_setprocattr to
> set the exec_sid before start the container.
> Meanwhile if i use "semodule -i" to load a policy pp, the old sidtab will
> be shutdown before switch to the new s
On Dec 28, 2017 10:14 PM, "Li Kun" wrote:
在 2017/12/28 22:57, Stephen Smalley 写道:
On Sat, Dec 23, 2017 at 3:03 AM, Li Kun wrote:
> Hi all,
> When i start a docker container, the runc will call selinux_setprocattr to
> set the exec_sid before start the container.
&
On Jan 1, 2018 8:40 PM, "Li Kun" wrote:
在 2017/12/30 1:25, Stephen Smalley 写道:
On Dec 28, 2017 10:14 PM, "Li Kun" wrote:
在 2017/12/28 22:57, Stephen Smalley 写道:
On Sat, Dec 23, 2017 at 3:03 AM, Li Kun wrote:
> Hi all,
> When i start a docker con
On Jan 2, 2018 1:37 AM, "Li Kun" wrote:
On 2018/1/2 12:16, Stephen Smalley wrote:
On Jan 1, 2018 8:40 PM, "Li Kun" wrote:
在 2017/12/30 1:25, Stephen Smalley 写道:
On Dec 28, 2017 10:14 PM, "Li Kun" wrote:
在 2017/12/28 22:57, Stephen Smalley 写道:
On Sat, D
Try testing such a patch to see if it resolves your issue. However, I think
if you switch to installing your policy module from your package post
scriptlet, you won't encounter this issue in the first place.
On Jan 3, 2018 7:26 AM, "Li Kun" wrote:
>
>
> 在 2018/1/2 2
On Mon, 2018-01-08 at 16:10 +0100, Vit Mojzis wrote:
> Hi all,
> there seems to be a discrepancy between man page and actual behavior
> of
> selabel_lookup() with MEDIA backend.
> selabel_media man page says:
> "Should there not be a valid entry in the media file, then the
> default removabl
alsh wrote:
> > On 01/09/2018 10:40 AM, Stephen Smalley wrote:
> > > On Tue, 2018-01-09 at 10:19 -0500, Daniel Walsh wrote:
> > > > For some reason semodule will not allow me to install
> > > > container.pp.
> > > > I
> > > &
On Tue, 2018-01-09 at 16:56 +, Richard Haines wrote:
> On Tue, 2018-01-09 at 10:11 -0500, Stephen Smalley wrote:
> > On Mon, 2018-01-08 at 16:10 +0100, Vit Mojzis wrote:
> > > Hi all,
> > > there seems to be a discrepancy between man page and act
On Jan 14, 2018 10:36 AM, "Richard Haines"
wrote:
Add new option to semanage.conf that allows the tmp build files
to be kept for debugging when building policy.
Would it be better to just retain the files by default if there is an
error?
Signed-off-by: Richard Haines
---
libsemanage/man/man
On Thu, 2018-01-11 at 17:22 +0100, Petr Lautrbach wrote:
> It's used by third parties, e.g. Ansible modules
>
> Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1527745
Thanks, applied.
>
> Signed-off-by: Petr Lautrbach
> ---
> python/semanage/seobject.py | 3 +++
> 1 file changed, 3 insert
On Thu, 2018-01-11 at 18:44 +0100, Vit Mojzis wrote:
> moduleRecords.modify() calls nonexistent function
> semanage_module_update_file (maybe it should have been
> semanage_module_upgrade_file which is now obsolete and calls
> semanage_module_install_file) and the job of updating a module is
> done
On Fri, 2018-01-12 at 16:11 +0100, Marcus Folkesson wrote:
> This patch solves the following issues:
> - The pkg-config files generates odd paths when using DESTDIR without
> PREFIX
> - DESTDIR is needed during compile time to compute library and header
> paths which it should not.
> - Installing w
On Tue, 2018-01-16 at 07:47 -0800, William Roberts wrote:
> On Mon, Jan 15, 2018 at 9:32 AM, Stephen Smalley
> wrote:
> > On Jan 14, 2018 10:36 AM, "Richard Haines" > rnet.com>
> > wrote:
> >
> > Add new option to semanage.conf that allows the tmp
On Sun, 2018-01-14 at 15:02 -0500, Chris PeBenito via refpolicy wrote:
> A new release, 2.20180114, of the SELinux Reference Policy is now
> available on the GitHub site:
>
> https://github.com/TresysTechnology/refpolicy/wiki/DownloadRelease
Could we get the nnp_nosuid_transition policy capabili
On Wed, 2018-01-17 at 15:55 +0100, peter.enderb...@sony.com wrote:
> From: Peter Enderborg
>
> Holding the preempt_disable is very bad for low latency tasks
> as audio and therefore we need to break out the rule-set dependent
> part from this disable. By using a rwsem instead of rwlock we
> have
On Fri, 2018-01-19 at 11:19 +0100, Dominick Grift wrote:
> The default_type functionality is too limited because it assumes that
> all login programs associate the same type with a given role
>
> This is not the case
>
> For example:
>
> default_type for local_login: joe.role:joe.type
> default_
k sk_security, and if the case, reject the permissions.
>
> This adjustment is orthogonal to infrastructure improvements that may
> nullify the needed check, but should be added as good code hygiene.
>
> Signed-off-by: Mark Salyzyn
> Cc: Paul Moore
> Cc: Stephen Smalley
&
On Fri, 2018-01-19 at 12:19 -0500, Stephen Smalley wrote:
> On Thu, 2018-01-18 at 13:58 -0800, Mark Salyzyn wrote:
> > general protection fault: [#1] PREEMPT SMP KASAN
> > CPU: 1 PID: 14233 Comm: syz-executor2 Not tainted 4.4.112-g5f6325b
> > #28
> > task:
On Mon, 2018-01-22 at 16:38 +, Richard Haines wrote:
> Allow the tmp build files to be kept for debugging when a policy
> build fails.
>
> Signed-off-by: Richard Haines
> ---
> V2 Changes:
> Remove the retain-tmp flag and just keep tmp files on build errors.
>
> libsemanage/src/direct_api.
Forwarded Message
From: Taras Kondratiuk
To: H. Peter Anvin , Al Viro ,
Arnd Bergmann , Rob Landley , Mimi
Zohar , Jonathan Corbet ,
James McMechan
Cc: initra...@vger.kernel.org, Victor Kamensky , li
nux-...@vger.kernel.org, linux-ker...@vger.kernel.org, linux-security-m
od...@v
Forwarded Message
From: Taras Kondratiuk
To: H. Peter Anvin , Al Viro ,
Arnd Bergmann , Rob Landley , Mimi
Zohar , Jonathan Corbet ,
James McMechan
Cc: initra...@vger.kernel.org, Victor Kamensky , li
nux-...@vger.kernel.org, linux-ker...@vger.kernel.org, linux-security-m
od...@v
On Mon, 2018-01-22 at 16:38 +, Richard Haines wrote:
> Stop overwriting the commit number for the default save-previous flag
> setting (false) in semanage.conf.
>
> Allows semodule -v -i to show the correct commit number.
Thanks, applied. I was concerned that this could possibly break buggy
On Thu, 2018-01-25 at 10:22 -0800, William Roberts wrote:
> On Wed, Jan 24, 2018 at 1:42 AM, Richard Haines
> wrote:
> > Allow the tmp build files to be kept for debugging when a policy
> > build fails.
> >
> > Signed-off-by: Richard Haines
> > ---
> > V2 Changes:
> > Remove the retain-tmp flag
On Fri, 2018-01-26 at 15:32 +0100, peter.enderb...@sony.com wrote:
> Holding the preempt_disable is very bad for low latency tasks
> as audio and therefore we need to break out the rule-set dependent
> part from this disable. By using a RCU instead of rwlock we
> have an efficient locking and less
On Fri, 2018-01-26 at 15:32 +0100, peter.enderb...@sony.com wrote:
> From: Peter Enderborg
>
> To be able to use rcu locks we seed to address the policydb
> though a pointer. This preparation removes the export of the
> policydb and send pointers to it through parameter agruments.
Just for refer
On Fri, 2018-01-26 at 15:32 +0100, peter.enderb...@sony.com wrote:
> From: Peter Enderborg
>
> This i preparation for switching to RCU locks. To be able to use
> RCU we need atomic switched pointer. This adds the dynamic
> memory copying to be a single pointer. It copy all the
> data structures i
>
> - Switching emails
>
> I emailed Daniel Walsh, the man page author, and he connected me to
> Petr
> Lautrbach, who sent me to this mailing list (via my work email). The
> maintainer, Stephen Smalley, said I should remove my company's legal
> blurb at
> th
On Thu, 2018-02-01 at 09:34 -0500, Stephen Smalley wrote:
> On Mon, 2018-01-29 at 11:27 -0600, Ben Kane wrote:
> > Hello,
> >
> > Last week I was studying for the RHCSE certification, and I
> > couldn't
> > find how
> > to change SELinux's status
On Thu, 2018-02-01 at 16:17 +0100, peter enderborg wrote:
> On 01/30/2018 02:46 PM, Stephen Smalley wrote:
> > On Fri, 2018-01-26 at 15:32 +0100, peter.enderb...@sony.com wrote:
> > > From: Peter Enderborg
> > >
> > > To be able to use rcu locks we seed to
concerned.
> >
> > Anyway, here is my ack again.
> >
> > Acked-by: Paul Moore
> >
>
> Ok, both Greg KH and yours should be considered Acked-By. Been
> overstepping this boundary for _years_. AFAIK Signed-off-by is still
> pending from Stephen Smalley
On Fri, 2018-02-02 at 09:05 +0100, Peter Enderborg wrote:
> The locks are moved to dynamic allocation, we need to
> help the lockdep system to classify the locks.
> This adds to lockdep annotation for the page mutex and
> for the ss lock.
Thanks, but missing a Signed-off-by: line. Also, just to b
. That branch
will however get re-based when selinux/next is re-based (to something
4.15 based).
>
>
> On 02/02/2018 03:10 PM, Stephen Smalley wrote:
> > On Fri, 2018-02-02 at 09:05 +0100, Peter Enderborg wrote:
> > > The locks are moved to dynamic allocation, we ne
On Tue, 2018-02-06 at 17:18 -0500, Paul Moore wrote:
> On Mon, Oct 2, 2017 at 11:58 AM, Stephen Smalley
> wrote:
> > Define a selinux namespace structure (struct selinux_ns)
> > for SELinux state and pass it explicitly to all security server
> > functions. The public
On Wed, 2018-02-07 at 15:10 -0600, Matt Callaway wrote:
> Hello,
>
> I am attempting to run Docker on CentOS 7.4 with selinux and kernel
> namespaces enabled. When I do so I observe an error that leads me to
> an issue filed in github and a kernel patch that suggests that the
> cause should be fix
On Wed, 2018-02-07 at 14:56 -0500, Paul Moore wrote:
> On Wed, Feb 7, 2018 at 12:48 PM, Stephen Smalley
> wrote:
> > On Tue, 2018-02-06 at 17:18 -0500, Paul Moore wrote:
>
> ...
>
> > > While I don't think we need to tackle this as part of the
> > >
On Thu, 2018-02-08 at 08:16 +0100, peter enderborg wrote:
> On 01/30/2018 03:37 PM, Stephen Smalley wrote:
> > On Fri, 2018-01-26 at 15:32 +0100, peter.enderb...@sony.com wrote:
> > goto err;
> >
> > - rc = security_preserve_bools(newpolicydb);
> > + rc =
On Thu, 2018-02-08 at 10:20 -0500, Paul Moore wrote:
> On Wed, Feb 7, 2018 at 6:46 PM, wrote:
> > From: William Roberts
> >
> > Commit:
> > 73ff5fc selinux: cache sidtab_context_to_sid results
>
> This wouldn't prevent me from merging the patch, but since it is an
> RFC I'll go ahead and provi
On Thu, 2018-02-08 at 08:34 -0800, William Roberts wrote:
> On Thu, Feb 8, 2018 at 7:47 AM, Stephen Smalley
> wrote:
> > On Thu, 2018-02-08 at 10:20 -0500, Paul Moore wrote:
> > > On Wed, Feb 7, 2018 at 6:46 PM,
> > > wrote:
> > > > From
On Thu, 2018-02-15 at 10:30 +0530, Aman Sharma wrote:
> Hi All,
>
> I am getting one issue while running the command audit2allow and
> below is the
> logs for the same :
>
> After switching back to lower version, running "audit2allow -a"
> command show below errors repeteadly and the command doe
-off-by: Peter Enderborg
> ---
> This is the rebase of suggested patches from selinuxns tree
> and are intended to be applyed on top of:
> selinux: wrap global selinux state
> from Stephen Smalley
>
> security/selinux/ss/services.c | 4
> 1 file changed, 4 insertions(+)
501 - 600 of 1507 matches
Mail list logo