On 10/14/2015 10:29 AM, Dominick Grift wrote:
On Wed, Oct 14, 2015 at 10:17:04AM -0400, Stephen Smalley wrote:
On 10/14/2015 10:11 AM, Dominick Grift wrote:
On Wed, Oct 14, 2015 at 09:56:04AM -0400, Stephen Smalley wrote:
On 10/14/2015 09:34 AM, Dominick Grift wrote:
I had some issue that
On 10/14/2015 11:48 AM, Dominick Grift wrote:
On Wed, Oct 14, 2015 at 11:44:00AM -0400, Stephen Smalley wrote:
On 10/14/2015 10:29 AM, Dominick Grift wrote:
On Wed, Oct 14, 2015 at 10:17:04AM -0400, Stephen Smalley wrote:
On 10/14/2015 10:11 AM, Dominick Grift wrote:
On Wed, Oct 14, 2015 at
On 10/14/2015 12:41 PM, Dominick Grift wrote:
On Wed, Oct 14, 2015 at 12:05:27PM -0400, Stephen Smalley wrote:
AFAIK, systemd just calls selinux_init_load_policy() in libselinux (aka
load_policy -i). And the approach to selecting a policy version has been
stable for quite a while, so I
On 10/14/2015 01:38 PM, Dominick Grift wrote:
On Wed, Oct 14, 2015 at 07:34:16PM +0200, Dominick Grift wrote:
Setools(4) doesnt work with my policy (it can't deal with cil namespaces
seemingly, and returns non-sense)
Besides. did you know that setools (4) does not use
/sys/fs/selinux/policy?
On 10/14/2015 01:34 PM, Dominick Grift wrote:
On Wed, Oct 14, 2015 at 12:53:06PM -0400, Stephen Smalley wrote:
On 10/14/2015 12:41 PM, Dominick Grift wrote:
On Wed, Oct 14, 2015 at 12:05:27PM -0400, Stephen Smalley wrote:
AFAIK, systemd just calls selinux_init_load_policy() in libselinux
On 10/18/2015 11:00 AM, Richard Haines wrote:
On Sunday, 18 October 2015, 15:07, Dominick Grift
wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On Sun, Oct 18, 2015 at 12:48:12PM +, Richard Haines wrote:
I added openssl to libselinux to support the new selabel_digest(3)
On 10/19/2015 02:09 PM, Stephen Smalley wrote:
On 10/18/2015 11:00 AM, Richard Haines wrote:
On Sunday, 18 October 2015, 15:07, Dominick Grift
wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On Sun, Oct 18, 2015 at 12:48:12PM +, Richard Haines wrote:
I added openssl to
On 10/20/2015 08:27 AM, Richard Haines wrote:
On Monday, 19 October 2015, 19:10, Stephen Smalley wrote:
On 10/18/2015 11:00 AM, Richard Haines wrote:
On Sunday, 18 October 2015, 15:07, Dominick Grift
wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On Sun, Oct 18
On 10/20/2015 09:42 AM, Joshua Brindle wrote:
Stephen Smalley wrote:
Wondering if dependency on openssl might be a license issue for Debian
or others. Apparently openssl license is considered GPL-incompatible [1]
[2], and obviously libselinux is linked by a variety of GPL-licensed
programs
On Mon, Oct 19, 2015 at 6:29 PM, Paul Moore wrote:
> On Friday, October 09, 2015 10:56:12 AM Stephen Smalley wrote:
>> On 10/07/2015 07:08 PM, Paul Moore wrote:
>> > diff --git a/ipc/kdbus/connection.c b/ipc/kdbus/connection.c
>> > index ef63d65..1cb87b3 100644
>&g
On 10/21/2015 11:35 AM, Richard Haines wrote:
This replaces the openssl library with SHA1 hash functions
extracted from [1] as this is a public domain implementation.
util/selabel_digest -v option still compares the result with
the openssl command "openssl dgst -sha1 -hex .." for validation.
[1
On 10/22/2015 07:19 AM, Richard Haines wrote:
This replaces the openssl library with SHA1 hash functions
extracted from [1] as this is a public domain implementation.
util/selabel_digest -v option still compares the result with
the openssl command "openssl dgst -sha1 -hex .." for validation.
[1
On 10/26/2015 05:15 PM, Andreas Gruenbacher wrote:
Here is another version of the patch queue to make gfs2 and similar file
systems work with SELinux. As suggested by Stephen Smalley [*], the relevant
uses of inode->security are wrapped in function calls that try to revalidate
invalid lab
Signed-off-by: Stephen Smalley
---
tests/unix_socket/server.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/tests/unix_socket/server.c b/tests/unix_socket/server.c
index 7cbebe3..f882930 100644
--- a/tests/unix_socket/server.c
+++ b/tests/unix_socket/server.c
@@ -102,6
On 10/26/2015 05:15 PM, Andreas Gruenbacher wrote:
Signed-off-by: Andreas Gruenbacher
Acked-by: Stephen Smalley
---
security/selinux/hooks.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index e4369d8..fc8f626 100644
--- a
On 10/26/2015 05:15 PM, Andreas Gruenbacher wrote:
Use path_has_perm directly instead.
This reverts:
commit 13f8e9810bff12d01807b6f92329111f45218235
Author: David Howells
Date: Thu Jun 13 23:37:55 2013 +0100
SELinux: Institute file_path_has_perm()
Create a file_path_has_perm() fun
On 10/26/2015 05:15 PM, Andreas Gruenbacher wrote:
Add functions dentry_security and inode_security for accessing
inode->i_security. These functions initially don't do much, but they
will later be used to revalidate the security labels when necessary.
Signed-off-by: Andreas Gruenbacher
---
s
On 10/24/2015 02:43 PM, Nicolas Iooss wrote:
When running sepolgen-ifgen on refpolicy (git master branch), the
following messages show up:
/usr/share/selinux/refpolicy/include/kernel/selinux.if: Syntax error
on line 3369 gen_context [type=GEN_CONTEXT]
/usr/share/selinux/refpolicy/
Subject: [PATCH] libselinux: label_file: fix memory leaks and
uninitialized jump
On 10/26/2015 02:32 PM, william.c.robe...@intel.com wrote:
From: William Roberts
Some error's were reported by valgrind (below) fix them. The test
cases on which these leaks were detected:
Why do you
On 10/26/2015 02:42 PM, Roberts, William C wrote:
Shouldn't;
compat_validate(rec, &spec_arr[nspec].lr, path, lineno);
in process_line() cause a failure? Right now the return code is being ignored.
I think it is historical. Originally we had it bail on error. Red Hat
had problems with tha
On 10/27/2015 01:07 PM, Andrew Perepechko wrote:
Make validatetrans decisions available through selinuxfs.
"/transition" is added to selinuxfs for this purpose.
This functionality is needed by file system servers
implemented in userspace or kernelspace without the VFS
layer.
Writing "$oldcontext
On 10/27/2015 02:27 PM, Andrew Perepechko wrote:
+ if (rc)
+ goto out;
+
+ rc = -ENOMEM;
+ if (count >= PAGE_SIZE - 1)
+ goto out;
Why PAGE_SIZE-1?
This is to avoid allocation of more than a single page.
Yes, but you don't need PAGE_SIZE - 1 fo
On 10/27/2015 02:49 PM, william.c.robe...@intel.com wrote:
From: William Roberts
Subject line after [PATCH] should start with "libselinux: label_file:"
or similar prefix identifying affected component.
Some error's were reported by valgrind (below) fix them. The test
cases on which these
On 10/27/2015 05:50 PM, william.c.robe...@intel.com wrote:
From: William Roberts
Some error's were reported by valgrind (below) fix them. The test
cases on which these leaks were detected:
1. properly formed file_contexts file.
2. malformed file_contexts file, unknown type.
3. malformed file_c
On 10/27/2015 06:41 PM, Laurent Bigonville wrote:
From: Laurent Bigonville
libsepol.so symlink is usually part of the development package, try to
load the library directly instead.
Thanks, applied. Next time, please remember to add your Signed-off-by
and include a prefix in the subject line
On 10/28/2015 07:48 AM, Andreas Gruenbacher wrote:
> On Tue, Oct 27, 2015 at 5:40 PM, Stephen Smalley wrote:
>> On 10/26/2015 05:15 PM, Andreas Gruenbacher wrote:
>>>
>>> Use path_has_perm directly instead.
>>
>>
>> This reverts:
>>
>>
On 10/28/2015 01:31 PM, Stephen Smalley wrote:
On 10/28/2015 07:48 AM, Andreas Gruenbacher wrote:
On Tue, Oct 27, 2015 at 5:40 PM, Stephen Smalley wrote:
On 10/26/2015 05:15 PM, Andreas Gruenbacher wrote:
Use path_has_perm directly instead.
This reverts:
commit
On 10/27/2015 04:48 PM, Andrew Perepechko wrote:
Make validatetrans decisions available through selinuxfs.
"/validatetrans" is added to selinuxfs for this purpose.
This functionality is needed by file system servers
implemented in userspace or kernelspace without the VFS
layer.
Writing "$oldcont
.
Writing "$oldcontext $newcontext $tclass $taskcontext"
to /validatetrans is expected to return 0 if the transition
is allowed and -EPERM otherwise.
Signed-off-by: Andrew Perepechko
Acked-by: Stephen Smalley
CC: andrew.perepec...@seagate.com
---
security/selinux/include/classmap.
On 10/28/2015 08:47 PM, Andreas Gruenbacher wrote:
Make the inode argument of the inode_getsecurity hook non-const so that
we can use it to revalidate invalid security labels.
Signed-off-by: Andreas Gruenbacher
Acked-by: Stephen Smalley
---
include/linux/lsm_hooks.h | 2 +-
include
On 10/28/2015 08:47 PM, Andreas Gruenbacher wrote:
Make the inode argument of the inode_getsecid hook non-const so that we
can use it to revalidate invalid security labels.
Signed-off-by: Andreas Gruenbacher
Acked-by: Stephen Smalley
---
include/linux/audit.h | 8
include
enbacher
Acked-by: Stephen Smalley
---
security/selinux/hooks.c | 97
1 file changed, 56 insertions(+), 41 deletions(-)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index a8f09af..48d1908 100644
--- a/security/selinux/hooks
orris
Acked-by: Stephen Smalley
---
include/linux/lsm_hooks.h | 6 ++
include/linux/security.h | 5 +
security/security.c | 8
security/selinux/hooks.c | 30 --
security/selinux/include/objsec.h | 6 +
de. (Reloading happens via iop->getxattr which takes a dentry
parameter.) When reloading fails, continue using the old, invalid
label.
Signed-off-by: Andreas Gruenbacher
Could probably use inode_security_novalidate() for all of the
SOCK_INODE() cases, right? Otherwise,
Acked-by: Stephen Smalley
eeping, or when we can't find a dentry for
the inode. (Reloading happens via iop->getxattr which takes a dentry
parameter.) When reloading fails, continue using the old, invalid
label.
Signed-off-by: Andreas Gruenbacher
Acked-by: Stephen Smalley
Generally I would say that you made enou
On 11/04/2015 11:49 AM, Jan Stancek wrote:
Hi,
I'm seeing one of mmap tests failing on RHEL6.7. Strange is that it
fails only on s390x, all other arches are PASSing.
setsebool allow_execmod is set to "0"
Running as user root with context unconfined_u:unconfined_r:unconfined_t:
domain_trans/tes
On 11/04/2015 03:32 PM, Paul Moore wrote:
On Wed, Nov 4, 2015 at 2:21 PM, Stephen Smalley wrote:
selinux-testsuite exercises the individual kernel permission checks using
its own privately defined test domains and types, so a failure indicates a
kernel bug or a bug in the test policy or test
On 11/05/2015 08:27 AM, Jan Stancek wrote:
- Original Message -
From: "Paul Moore"
To: "Stephen Smalley"
Cc: "Jan Stancek" , selinux@tycho.nsa.gov
Sent: Wednesday, 4 November, 2015 10:51:15 PM
Subject: Re: selinux-testsuite: mmap execmod test failure
On 11/05/2015 10:45 AM, Jan Stancek wrote:
- Original Message -
From: "Stephen Smalley"
To: "Jan Stancek" , "Paul Moore"
Cc: selinux@tycho.nsa.gov
Sent: Thursday, 5 November, 2015 3:37:33 PM
Subject: Re: selinux-testsuite: mmap execmod test failure o
On 11/06/2015 11:10 AM, Laurent Bigonville wrote:
Hi,
When the policy is reloaded, systemd and dbus are sending a USER_AVC
audit event instead of a USER_MAC_POLICY_LOAD one.
Looking at an other object manager (the xserver) it uses the following
code:
http://cgit.freedesktop.org/xorg/xserver/tre
On 11/09/2015 08:43 AM, Miroslav Grepl wrote:
We are trying to get pam_selinux + systemd-user working on Fedora
Rawhide to avoid systemd-user running with init_t. The problem is with
init_t domain which is unconfined domain by default on Fedora.
echo -n system_u:system_r:init_t:s0 unconfined_u
On 11/07/2015 11:29 PM, Nick Kralevich wrote:
Consider the following rules:
attribute foo;
type asdf, foo;
type asdf2, foo;
allow asdf self:dir search;
neverallow foo { foo -self }:dir search;
This particular policy fails to compile with the following error:
libsepol.report_fail
On 11/18/2015 07:26 PM, Mike Palmiotto wrote:
On Wed, Nov 18, 2015 at 5:09 PM, Mike Palmiotto
wrote:
We're currently running into issues attempting to get a default
context for a newly added SELinux user.
The user has been added with semanage, and associated with a few
roles. There are role de
On 11/22/2015 07:53 PM, Laurent Bigonville wrote:
Hi,
I'm still looking at adding SELinux support in the "at" daemon and I now
have the following patch[0].
With this patch, at seems to behave like the cron daemon, as explained
in the commit log:
- When cron_userdomain_transition is set to
On 11/23/2015 12:25 PM, Laurent Bigonville wrote:
Le 23/11/15 17:21, Stephen Smalley a écrit :
On 11/22/2015 07:53 PM, Laurent Bigonville wrote:
Hi,
I'm still looking at adding SELinux support in the "at" daemon and I now
have the following patch[0].
With this patch, at seems
On 11/23/2015 02:06 PM, Laurent Bigonville wrote:
Le 23/11/15 19:44, Stephen Smalley a écrit :
On 11/23/2015 12:25 PM, Laurent Bigonville wrote:
As you can see the results are different... So this seems to be
regression at the kernel level.
Well, that depends - are you loading the same
ug by only skipping computation of extended permissions
in this situation, not the entire conditional rules processing.
Reported-by: Laurent Bigonville
Signed-off-by: Stephen Smalley
---
security/selinux/ss/conditional.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/security/
On 11/23/2015 04:23 PM, Paul Moore wrote:
On Mon, Nov 23, 2015 at 4:07 PM, Stephen Smalley wrote:
commit fa1aa143ac4a ("selinux: extended permissions for ioctls") introduced
a bug into the handling of conditional rules, skipping the processing
entirely when the caller does not
On 11/21/2015 11:26 AM, Richard Haines wrote:
Currently neverallowxperm rules will be resolved correctly when
building policy, however they are not detectable when using tools
such as an updated version of setools. This patch will allow
these to be viewed in the same way as neverallow rules are i
On 11/23/2015 08:52 AM, Richard Haines wrote:
When a line number is displayed for context errors they are
x2 the correct value, so reset line count for each pass.
Signed-off-by: Richard Haines
Thanks, applied.
---
libselinux/src/label_android_property.c | 3 ++-
1 file changed, 2 inserti
On 11/07/2015 04:20 AM, Ville Skyttä wrote:
Signed-off-by: Ville Skyttä
Thanks, applied.
---
libselinux/man/man3/security_load_booleans.3| 2 +-
libselinux/man/man3/selinux_binary_policy_path.3| 2 +-
libselinux/man/man8/avcstat.8 | 2 +-
libselinux/man
On 11/25/2015 07:21 AM, Petr Lautrbach wrote:
Fixes Python 3 error:
AttributeError: module 'string' has no attribute 'join'
Based on a patch by Tomas Radej
Signed-off-by: Petr Lautrbach
Thanks, applied.
---
policycoreutils/semanage/seobject.py | 6 +++---
1 file changed, 3 insertions
On 11/30/2015 08:57 AM, Petr Lautrbach wrote:
This reverts the commit 97d06737 which introduced a regression on '-l'
which started to require at least one argument and fixes the original
problem other way. A args.parser value is set now and handlePermissive
function uses it to print an usage mess
On 12/02/2015 05:18 AM, Dominick Grift wrote:
Let's continue the discussion here.
The last answered questionnaire is below, any further questions or
comments?:
"systemd --user" concept is broken as we can see/read from this
thread from
On 12/02/2015 02:47 PM, Dominick Grift wrote:
On Wed, Dec 02, 2015 at 01:20:30PM -0500, Stephen Smalley wrote:
On 12/02/2015 05:18 AM, Dominick Grift wrote:
Let's continue the discussion here.
The last answered questionnaire is below, any further questions or
com
On 12/03/2015 11:02 AM, Miroslav Grepl wrote:
On 12/02/2015 10:23 PM, Stephen Smalley wrote:
On 12/02/2015 02:47 PM, Dominick Grift wrote:
On Wed, Dec 02, 2015 at 01:20:30PM -0500, Stephen Smalley wrote:
On 12/02/2015 05:18 AM, Dominick Grift wrote:
Let's continue the discussion here.
On 12/07/2015 01:01 PM, Laurent Bigonville wrote:
Hi,
So apparently gnome-terminal developers have decided to stop updating
utmp[0] file and this is breaking chcat -Ll with the following error:
Traceback (most recent call last):
File "/usr/bin/chcat", line 409, in
sys.exit(listusercats
On 12/08/2015 09:56 AM, Michal Marciniszyn wrote:
Hi Dominic,
while there is quite a lot of dontaudit rules around, the amount for
domains running on this node is not high. Is there any way how to
monitor which rules are loaded and released from the cache? Anything
better than plain aggregated s
On 12/08/2015 05:25 AM, Michal Marciniszyn wrote:
Hello,
we are heavy SELinux shop and we recently run into AVC related
performance issue. I was trying to find an answer on freenode IRC chat
but I was sent here by multiple guys. We're running on Scientific Linux
6.6 (upgrade to 6.7 ongoing) and
On 12/08/2015 11:21 AM, Michal Marciniszyn wrote:
Hi,
there are neither categories nor MLS used on the system. I'll get the
amount of different types used by the system (I need to do some digging,
will get the data tomorrow). Most of classes will be regular file,
directories and some symbolic li
On 12/08/2015 07:44 PM, Nick Kralevich wrote:
When a process performs a setcon() call, SELinux revalidates any open
file descriptors. Any file descriptors not allowed by the new context
are invalidated at setcon time.
Not quite right. SELinux does file descriptor revalidation on:
a) use (e.g.
On 12/09/2015 08:15 AM, Michal Marciniszyn wrote:
Hi,
after increasing the cache, I do not see many reclaims, like couple of
them here and there. The cache size had to be increased to 2048 to get
ti this state.
# avcstat 15
537645 537623 22 22 32 32
On 12/09/2015 11:07 AM, Joe Nall wrote:
This thread motivated me to look at some test boxes. One is seeing about 2k
misses per second under high load. Raising the cache_threshold to 1024 lowered
that to 600 misses per second and raising it to 2048 lowered it to 0 with
occasional bounces to 20-
On 12/11/2015 02:55 PM, Paul Moore wrote:
On Fri, Dec 11, 2015 at 1:37 PM, Daniel Cashman wrote:
Hello,
I would like to write a patch that would expose, via selinuxfs, the
mapping between secids in the kernel and security contexts to
user-space, but before doing so wanted to get some feedback
On 12/14/2015 12:03 PM, Mike Palmiotto wrote:
On Sun, Dec 13, 2015 at 5:06 PM, Paul Moore wrote:
On Friday, December 11, 2015 05:14:38 PM Stephen Smalley wrote:
Perhaps we could provide a new fixed-size tokenized version of the
security context string for export to userspace that could be
On 12/14/2015 04:29 PM, Roberts, William C wrote:
Subject: Re: Exposing secid to secctx mapping to user-space
On 12/13/2015 2:06 PM, Paul Moore wrote:
On Friday, December 11, 2015 05:14:38 PM Stephen Smalley wrote:
Perhaps we could provide a new fixed-size tokenized version of the
security
On 12/14/2015 05:57 PM, Roberts, William C wrote:
If I understand correctly, the goal here is to avoid the lookup from
pid to context. If we somehow Had the context or a token to a context
during the ipc transaction to userspace, we could just use that In
computing the access decision. If that
On 12/15/2015 11:06 AM, Casey Schaufler wrote:
On 12/15/2015 7:00 AM, Stephen Smalley wrote:
On 12/14/2015 05:57 PM, Roberts, William C wrote:
If I understand correctly, the goal here is to avoid the lookup from
pid to context. If we somehow Had the context or a token to a context
during
On 12/15/2015 12:19 PM, Joe Nall wrote:
On Dec 15, 2015, at 10:06 AM, Casey Schaufler wrote:
...
I have long wondered why SELinux generates the context string
of the secid more than once. Audit performance alone would
justify keeping it around. The variable length issue isn't
so difficult as
On 12/18/2015 01:12 AM, Hannu Savolainen wrote:
Hi,
I'm having a problem with a multithreaded application. It does lengthy
initialization in advance under relatively privileged context and then switches
to a less privileged one after the moment when the actual request arrives.
After that it
On 12/18/2015 10:05 AM, Dominick Grift wrote:
On Fri, Dec 18, 2015 at 11:27:13AM +, Hannu Savolainen wrote:
Many thanks,
Adding the allow rules seem to be enough (have to verify that one more time
next week). Fortunately the typebounds rule doesn't seem to be necessary since
it triggere
inode_security_revalidate can be
removed entirely, which brings us back to roughly the original
performance.
Signed-off-by: Andreas Gruenbacher
Acked-by: Stephen Smalley
---
security/selinux/hooks.c | 10 ++
1 file changed, 2 insertions(+), 8 deletions(-)
diff --git a/security/selinux/hooks.c b
On 01/07/2016 03:36 PM, Nicolas Iooss wrote:
Hello,
Since Linux 3.19 targets of /proc/PID/ns/* symlinks have lived in a fs
separated from /proc, named nsfs [1]. These targets are used to enter
the namespace of another process by using setns() syscall [2]. On old
kernels, they were labeled with
On 01/08/2016 08:00 AM, Christopher J. PeBenito wrote:
On 1/7/2016 4:19 PM, Stephen Smalley wrote:
On 01/07/2016 03:36 PM, Nicolas Iooss wrote:
Hello,
Since Linux 3.19 targets of /proc/PID/ns/* symlinks have lived in a fs
separated from /proc, named nsfs [1]. These targets are used to enter
On 01/20/2016 03:59 PM, Christopher J. PeBenito wrote:
What is the intended behavior for a user's allowed range in the policy
vs. any labels in the policy (e.g. netifcon)? My expectation is that
the allowed range should still apply, but it doesn't seem that
checkpolicy checks that, based on what
On 01/21/2016 08:14 AM, Christopher J. PeBenito wrote:
On 1/20/2016 4:22 PM, Stephen Smalley wrote:
On 01/20/2016 03:59 PM, Christopher J. PeBenito wrote:
What is the intended behavior for a user's allowed range in the policy
vs. any labels in the policy (e.g. netifcon)? My expectati
On 01/21/2016 04:49 PM, Stephen Smalley wrote:
On 01/21/2016 08:14 AM, Christopher J. PeBenito wrote:
On 1/20/2016 4:22 PM, Stephen Smalley wrote:
On 01/20/2016 03:59 PM, Christopher J. PeBenito wrote:
What is the intended behavior for a user's allowed range in the policy
vs. any labe
On 01/22/2016 09:00 AM, Christopher J. PeBenito wrote:
On 1/21/2016 4:49 PM, Stephen Smalley wrote:
On 01/21/2016 08:14 AM, Christopher J. PeBenito wrote:
On 1/20/2016 4:22 PM, Stephen Smalley wrote:
On 01/20/2016 03:59 PM, Christopher J. PeBenito wrote:
What is the intended behavior for a
On 01/28/2016 02:13 PM, Bill wrote:
Is anyone else having a problem booting
kernel-4.3.3-303.fc23.x86_64 and
selinux-policy-3.13.1-158.2.fc23.noarch?
Seems fine here. What kind of a problem?
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubsc
On 01/29/2016 12:25 PM, Thomas Downing wrote:
Hi,
I need to get SELinux running on an appliance we are building, not based on a
distro that already supports SELinux.
I've got all the userspace stuff built, (including setools3) without any
warnings or errors. I followed instructions for installi
On 01/29/2016 01:02 PM, Stephen Smalley wrote:
On 01/29/2016 12:25 PM, Thomas Downing wrote:
Hi,
I need to get SELinux running on an appliance we are building, not
based on a
distro that already supports SELinux.
I've got all the userspace stuff built, (including setools3) withou
On 01/29/2016 02:03 PM, Thomas Downing wrote:
On Friday, January 29, 2016 13:02:42 Stephen Smalley wrote:
On 01/29/2016 12:25 PM, Thomas Downing wrote:
Hi,
I need to get SELinux running on an appliance we are building, not based
on a distro that already supports SELinux.
I've got al
On 01/29/2016 02:41 PM, Thomas Downing wrote:
On Friday, January 29, 2016 14:25:43 Stephen Smalley wrote:
[snip]
This implies that you haven't loaded a policy into the kernel. Normally
this is done by init; both sysvinit and systemd should already include
the necessary bits but you may ha
On 02/01/2016 04:36 AM, Jason Zaman wrote:
Hi all,
XDG_RUNTIME_DIR is usually /run/user/$UID but there is no way to label
that in an fcontext file. It used to be /run/user/USER which is easy but
not UID.
What template keyword should be used for such an entry? UID? USERID?
USERID is perhaps mor
On 02/02/2016 01:26 AM, Jason Zaman wrote:
On Mon, Feb 01, 2016 at 02:30:37PM -0500, Stephen Smalley wrote:
On 02/01/2016 04:36 AM, Jason Zaman wrote:
Hi all,
XDG_RUNTIME_DIR is usually /run/user/$UID but there is no way to label
that in an fcontext file. It used to be /run/user/USER which is
On 02/02/2016 12:48 PM, Mark Steele wrote:
Hi list,
I've got some file contexts setup for an application, and can't get the
file context matching to work as I would expect.
[root@dev1 policy]# cat
/etc/selinux/targeted/contexts/files/file_contexts | grep cinched
/etc/cinched(/.*)? system_u
On 02/04/2016 04:32 PM, Russell Coker wrote:
type=USER_AVC msg=audit(1454447396.743:48359): pid=1 uid=0 auid=4294967295
ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status }
for auid=0 uid=0 gid=0 path="/lib/systemd/system/reboot.target"
cmdline="reboot" scontext=unconfine
On 02/10/2016 05:59 AM, Laurent Bigonville wrote:
Hello,
I've a question concerning copying the security.selinux xattr explicitly.
In you opinion what should happen in an implementation if it cannot be
reset security.selinux on the target file?
Apparently GNU cp -a ignore failures (while cp --
-ascii characters with:
: line 229 error due to: Non-ASCII characters found
Signed-off-by: William Roberts
Acked-by: Stephen Smalley
---
libselinux/src/label_android_property.c | 15 +--
libselinux/src/label_file.h | 16 ++--
libselinux/src
On 01/15/2016 11:11 AM, Richard Haines wrote:
The selinux_restorecon(3) man page details this function.
It has been built using the work from Android where an SHA1 hash
of the specfiles is held in an extended attribute to enhance
performance. Also contains components from policycoreutils/setfile
-by: Andreas Gruenbacher
Offending caller is ima_match_rules?
Acked-by: Stephen Smalley
---
security/selinux/hooks.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index f8110cf..f1ab715 100644
--- a/security/selinux
On 02/21/2016 10:35 AM, Richard Haines wrote:
Fix typo's and clarify usage.
Reported-by: Nicolas Iooss
Signed-off-by: Richard Haines
Thanks, applied.
---
libselinux/man/man3/selinux_restorecon.3 | 32
1 file changed, 20 insertions(+), 12 deletions(-)
di
On 02/23/2016 03:23 PM, Daniel Cashman wrote:
From: dcashman
Signed-off-by: Daniel Cashman
Thanks, applied.
---
libselinux/src/procattr.c | 7 +--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/libselinux/src/procattr.c b/libselinux/src/procattr.c
index 527a0a5..c20f0
On 02/23/2016 03:24 PM, Daniel Cashman wrote:
From: dcashman
getpidcon documentation does not specify that a pid of 0 refers to the
current process, and getcon exists specifically to provide this
functionality, and getpidcon(getpid()) would provide it as well.
Disallow pid values <= 0 that may
any cases where they assume that
setting a variable pid == 0 degenerates to getcon behavior), and didn't
see anything.
I've also asked the Fedora SELinux maintainers if they know of anything
that would break.
On Wed, Feb 24, 2016 at 6:49 AM, Stephen Smalley mailto:s...@tycho.nsa.
On 02/25/2016 01:02 PM, Daniel J Walsh wrote:
audit2allow -wla
type=AVC msg=audit(1456422969.279:1434): avc: denied { entrypoint }
for pid=23847 comm="exe" path="/usr/bin/bash" dev="dm-2" ino=25165968
scontext=system_u:system_r:svirt_lxc_net_t:s0:c337,c895
tcontext=system_u:object_r:svirt_sand
On 02/25/2016 01:02 PM, Daniel J Walsh wrote:
audit2allow -wla
type=AVC msg=audit(1456422969.279:1434): avc: denied { entrypoint }
for pid=23847 comm="exe" path="/usr/bin/bash" dev="dm-2" ino=25165968
scontext=system_u:system_r:svirt_lxc_net_t:s0:c337,c895
tcontext=system_u:object_r:svirt_sand
On 02/25/2016 01:59 PM, Daniel J Walsh wrote:
On Thu, 2016-02-25 at 13:18 -0500, Stephen Smalley wrote:
On 02/25/2016 01:02 PM, Daniel J Walsh wrote:
audit2allow -wla
type=AVC msg=audit(1456422969.279:1434): avc: denied { entrypoint
}
for pid=23847 comm="exe" path="/usr/bin/
rules; it doesn't do
anything about typebounds. We should probably update libsepol
compute_av (for that, and eventually for xperms).
-Eric
On Thu, 2016-02-25 at 14:12 -0500, Stephen Smalley wrote:
On 02/25/2016 01:59 PM, Daniel J Walsh wrote:
On Thu, 2016-02-25 at 13:18 -0500, Stephe
On 02/25/2016 03:28 PM, Daniel J Walsh wrote:
On Thu, 2016-02-25 at 14:47 -0500, Stephen Smalley wrote:
On 02/25/2016 02:37 PM, Eric Paris wrote:
You added a type bounds right before this broke... Does the parent
type have entrypoint? If not, maybe that's where it got stripped...
That
701 - 800 of 1507 matches
Mail list logo
