Hi,
As a reminder, the selinux mailing list has moved to vger.kernel.org.
If you wish to continue following the list, please subscribe by
sending a plaintext message containing "subscribe selinux" in the body
to majord...@vger.kernel.org. Be advised that vger.kernel.org does not
accept HTML email
Hi,
As a reminder, the selinux mailing list has moved to vger.kernel.org.
If you wish to continue following the list, please subscribe by sending
a plaintext message containing "subscribe selinux" in the body to
majord...@vger.kernel.org. Be advised that vger.kernel.org does not
accept HTML em
On 11/15/18 9:42 AM, Stephen Smalley wrote:
On 11/15/18 8:11 AM, Ondrej Mosnacek wrote:
On Mon, Nov 12, 2018 at 7:56 AM Ravi Kumar wrote:
Hi team ,
On android- with latest kernels 4.14 we are seeing some denials
which seem to be very much genuine to be address . Where kernel is
trying to
On 11/15/18 8:11 AM, Ondrej Mosnacek wrote:
On Mon, Nov 12, 2018 at 7:56 AM Ravi Kumar wrote:
Hi team ,
On android- with latest kernels 4.14 we are seeing some denials which seem to
be very much genuine to be address . Where kernel is trying to kill its own
created process ( might be for m
On 11/14/18 10:23 AM, Stephen Smalley wrote:
On 11/13/18 10:14 PM, Paul Moore wrote:
On Tue, Nov 13, 2018 at 4:10 PM Stephen Smalley
wrote:
On 11/12/18 6:44 AM, Ondrej Mosnacek wrote:
This function has only two callers, but only one of them actually needs
the special logic at the beginning
On 11/13/18 10:14 PM, Paul Moore wrote:
On Tue, Nov 13, 2018 at 4:10 PM Stephen Smalley wrote:
On 11/12/18 6:44 AM, Ondrej Mosnacek wrote:
This function has only two callers, but only one of them actually needs
the special logic at the beginning. Factoring this logic out into
On 11/14/18 4:45 AM, Ondrej Mosnacek wrote:
On Tue, Nov 13, 2018 at 10:35 PM Stephen Smalley wrote:
On 11/13/18 8:52 AM, Ondrej Mosnacek wrote:
This patch is non-functional and moves handling of initial SIDs into a
separate table. Note that the SIDs stored in the main table are now
shifted by
On 11/13/18 8:52 AM, Ondrej Mosnacek wrote:
This patch is non-functional and moves handling of initial SIDs into a
separate table. Note that the SIDs stored in the main table are now
shifted by SECINITSID_NUM and converted to/from the actual SIDs
transparently by helper functions.
When you say
On 11/13/18 8:52 AM, Ondrej Mosnacek wrote:
This is a purely cosmetic change that encapsulates the three-step sidtab
conversion logic (shutdown -> clone -> map) into a single function
defined in sidtab.c (as opposed to services.c).
Signed-off-by: Ondrej Mosnacek
Acked-by: Stephen S
On 11/12/18 6:44 AM, Ondrej Mosnacek wrote:
This function has only two callers, but only one of them actually needs
the special logic at the beginning. Factoring this logic out into
string_to_context_struct() allows us to drop the arguments 'oldc', 's',
and 'def_sid'.
Signed-off-by: Ondrej Mosna
On 11/8/18 8:33 AM, Ishara Fernando wrote:
Dear Stephen ,
Many thanks for the detailed information , it has been very useful .
Infact I have tested your steps in a similar environment (CentOS 6.10 ,
see versions below) as of yours in a Virtual machine based on
Virtualbox , I have reached to
On 11/7/18 2:04 AM, Ishara Fernando wrote:
Thanks Stephen , so below are the details of my SELinux setup
*Centos Version* : CentOS release 6.2 (Final)
*Kernel version* : 2.6.32-220.el6.x86_64
*RPM package* : selinux-policy-mls-3.7.19-312.el6.noarch
That's quite old. Any particular reason you
Hi,
As a reminder, the selinux mailing list has moved to vger.kernel.org.
If you wish to continue following the list, please subscribe by sending
a plaintext message containing "subscribe selinux" in the body to
majord...@vger.kernel.org. Be advised that vger.kernel.org does not
accept HTML em
On 11/6/18 9:33 AM, Ishara Fernando wrote:
Dear all ,
I have been trying to test and see how SELinux MLS works with Apache ,
this is what I did to test
*1) As we're aware if we start apache process as the default SELinux
user (i.e: Just as root user) , it will obtain a security context which
On 10/31/2018 04:31 PM, Stephen Smalley wrote:
We'd like to
replace the policy rwlock with RCU at some point; there is a very old
patch that tried to do that once before, which eliminated the policy
write lock altogether (policy switch became a single pointer update),
but no one has yet
On 10/31/2018 08:27 AM, Ondrej Mosnacek wrote:
Before this patch, during a policy reload the sidtab would become frozen
and trying to map a new context to SID would be unable to add a new
entry to sidtab and fail with -ENOMEM.
Such failures are usually propagated into userspace, which has no way
On 10/31/2018 08:27 AM, Ondrej Mosnacek wrote:
This patch separates the lookup of the initial SIDs into a separate
lookup table (implemented simply by a fixed-size array), in order to
pave the way for improving the process of converting the sidtab to a new
policy during a policy reload.
The init
On 10/23/2018 09:56 AM, Ted Toth wrote:
On Tue, Oct 23, 2018 at 8:39 AM Stephen Smalley <mailto:s...@tycho.nsa.gov>> wrote:
On 10/23/2018 09:33 AM, Ted Toth wrote:
> Is it possible to modify/replace an existing mlsconstrain? In
playing
> around I created mul
>my_module.cil <
Cc: Eli Cohen
Cc: James Morris
Cc: Doug Ledford
Cc: # 4.13+
Fixes: a806f7a1616f ("selinux: Create policydb version for Infiniband support")
Signed-off-by: Ondrej Mosnacek
Acked-by: Stephen Smalley
---
security/selinux/ss/policydb.c | 51 ++
On 10/23/2018 09:33 AM, Ted Toth wrote:
Is it possible to modify/replace an existing mlsconstrain? In playing
around I created multiple instances of a mlsconstrain and variations of
mlsconstrains but haven't figured out how to clean them up as I get
"Error: Unknown keyword delete' when trying t
On 10/18/2018 03:47 AM, Ondrej Mosnacek wrote:
Do the LE conversions before doing the Infiniband-related range checks.
The incorrect checks are otherwise causing a failure to load any policy
with an ibendportcon rule on BE systems. This can be reproduced by
running (on e.g. ppc64):
cat >my_modul
On 10/17/2018 05:18 PM, Paul Moore wrote:
On Wed, Oct 17, 2018 at 12:07 PM William Roberts
wrote:
On Wed, Oct 17, 2018 at 7:48 AM Ondrej Mosnacek wrote:
We need to convert from little-endian before dong range checks on the
ibpkey port numbers, otherwise we would be checking a wrong value.
F
Acked-by: Stephen Smalley
---
libsepol/src/policydb.c | 14 ++
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c
index a6d76ca3..dc201e2f 100644
--- a/libsepol/src/policydb.c
+++ b/libsepol/src/policydb.c
@@ -2830,1
>my_module.cil <
Cc: Eli Cohen
Cc: James Morris
Cc: Doug Ledford
Cc: # 4.13+
Fixes: a806f7a1616f ("selinux: Create policydb version for Infiniband support")
Signed-off-by: Ondrej Mosnacek
Acked-by: Stephen Smalley
---
security/selinux/ss/policydb.c | 41 ++
On 10/10/2018 07:57 AM, Ville Baillie wrote:
Hi,
Does SELinux provide any sort of mechanism for blocking exec on commands
based on their command line arguments?
The proposed use case goes a little like this, allow 'wget' to access
'http://good-server-1/*' and 'http://good-server-2/*' but block
On 10/16/2018 03:09 AM, Ondrej Mosnacek wrote:
Add missing LE conversions to the Infiniband-related range checks. These
were causing a failure to load any policy with an ibendportcon rule on
BE systems. This can be reproduced by running:
cat >my_module.cil <
Cc: Eli Cohen
Cc: James Morris
Cc:
Signed-off-by: Stephen Smalley
---
README | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/README b/README
index 174551a1..1c009b01 100644
--- a/README
+++ b/README
@@ -1,5 +1,6 @@
-Please submit all bug reports and patches to selinux@tycho.nsa.gov.
-Subscribe via selinux
Hi,
The selinux mailing list is moving to vger.kernel.org.
If you wish to continue following the list, please subscribe by sending
a plaintext message containing "subscribe selinux" in the body to
majord...@vger.kernel.org.
Going forward, mailing list archiving is being provided by lore, see
On 09/30/2018 10:43 AM, Chris PeBenito wrote:
On 09/11/2018 04:20 PM, Stephen Smalley wrote:
On 09/11/2018 03:04 PM, Joe Nall wrote:
On Sep 11, 2018, at 1:29 PM, Stephen Smalley wrote:
On 09/11/2018 10:41 AM, Stephen Smalley wrote:
On 09/10/2018 06:30 PM, Ted Toth wrote:
mcstrans
On 10/03/2018 11:52 AM, Paul Moore wrote:
The overlayfs tests require setfattr and getfattr which are part of
the attr package in Fedora.
Signed-off-by: Paul Moore
Acked-by: Stephen Smalley
---
README.md |4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a
On 10/02/2018 11:58 AM, Al Viro wrote:
On Tue, Oct 02, 2018 at 01:18:30PM +0200, Ondrej Mosnacek wrote:
No. With the side of Hell, No. The bug is real, but this is
not the way to fix it.
First of all, it's still broken - e.g. mount something on a
subdirectory and watch what that thing will do
On 10/02/2018 02:48 PM, Taras Kondratiuk wrote:
Quoting Stephen Smalley (2018-09-21 07:40:58)
If we set the inode sid to the superblock def_sid on an invalid
context, then we lose the association to the original context value.
The support for deferred mapping of contexts requires allocating a
On 09/26/2018 04:34 PM, Casey Schaufler wrote:
From: Casey Schaufler
A ptrace access check with mode PTRACE_MODE_SCHED gets called
from process switching code. This precludes the use of audit or avc,
as the locking is incompatible. The only available check that
can be made without using avc is
On Wed, Sep 26, 2018, 4:35 PM Casey Schaufler
wrote:
> From: Casey Schaufler
>
> A ptrace access check with mode PTRACE_MODE_SCHED gets called
> from process switching code. This precludes the use of audit or avc,
> as the locking is incompatible. The only available check that
> can be made with
y to use selinux_restorecon")
Reported-by: sajjad ahmed
Signed-off-by: Stephen Smalley
Cc: Richard Haines
---
libselinux/src/selinux_restorecon.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/libselinux/src/selinux_restorecon.c
b/libselinux/src/selinux_restorecon.c
index 41f22
On 09/26/2018 10:18 AM, Stephen Smalley wrote:
On 09/26/2018 09:55 AM, sajjad ahmed via Selinux wrote:
Hi all,
I'm trying to use the setfiles utility (v 2.7) from policycoreutils to
label rootfs, it seems like setfiles exclude all the directories
straight away and labels nothing. I tri
On 09/26/2018 09:55 AM, sajjad ahmed via Selinux wrote:
Hi all,
I'm trying to use the setfiles utility (v 2.7) from policycoreutils to
label rootfs, it seems like setfiles exclude all the directories
straight away and labels nothing. I tried an older version (< 2.6) that
works fine. I'm using
On 09/25/2018 12:03 PM, Paul Moore wrote:
On Tue, Sep 25, 2018 at 9:58 AM Stephen Smalley wrote:
On 09/25/2018 01:45 AM, Taras Kondratiuk wrote:
Quoting Paul Moore (2018-09-24 20:46:57)
On Fri, Sep 21, 2018 at 10:39 AM Stephen Smalley wrote:
On 09/20/2018 06:59 PM, Taras Kondratiuk wrote
On 09/25/2018 01:45 AM, Taras Kondratiuk wrote:
Quoting Paul Moore (2018-09-24 20:46:57)
On Fri, Sep 21, 2018 at 10:39 AM Stephen Smalley wrote:
On 09/20/2018 06:59 PM, Taras Kondratiuk wrote:
Quoting Stephen Smalley (2018-09-20 07:49:12)
On 09/19/2018 10:41 PM, Taras Kondratiuk wrote
On 09/23/2018 01:09 PM, Casey Schaufler wrote:
On 9/23/2018 8:59 AM, Tetsuo Handa wrote:
On 2018/09/23 11:43, Kees Cook wrote:
I'm excited about getting this landed!
Soon. Real soon. I hope. I would very much like for
someone from the SELinux camp to chime in, especially on
the selinux_is_enab
On 09/21/2018 04:50 AM, Benjamin Schüle wrote:
Hello,
just found a bug in selinux. It appears on ubuntu 16.04 with kernel
4.15, but not with kernel 4.4.
What's going wrong:
Copy a link with "-a" option while selinux is on.
steps to reproduce:
~$ mkdir -p a/b
~$ ln -s b a/c
~$ cp -a
On 09/20/2018 06:59 PM, Taras Kondratiuk wrote:
Quoting Stephen Smalley (2018-09-20 07:49:12)
On 09/19/2018 10:41 PM, Taras Kondratiuk wrote:
Quoting Stephen Smalley (2018-09-19 12:00:33)
On 09/19/2018 12:52 PM, Taras Kondratiuk wrote:
When files on NFSv4 server are not properly labeled
On 09/19/2018 10:41 PM, Taras Kondratiuk wrote:
Quoting Stephen Smalley (2018-09-19 12:00:33)
On 09/19/2018 12:52 PM, Taras Kondratiuk wrote:
When files on NFSv4 server are not properly labeled (label doesn't match
a policy on a client) they will end up with unlabeled_t type which i
On 09/19/2018 03:41 PM, William Roberts wrote:
On Wed, Sep 19, 2018 at 12:36 PM Stephen Smalley <mailto:s...@tycho.nsa.gov>> wrote:
On 09/19/2018 03:21 PM, William Roberts wrote:
> Some people might be checking this output since it's been there
so long,
>
On 09/19/2018 03:21 PM, William Roberts wrote:
Some people might be checking this output since it's been there so long,
-s would be a good way to go.
Alternatively, a way to bring back this information via a verbose option
-V could
be considered.
Either way, a simple logging mechanism analogo
On 09/19/2018 12:52 PM, Taras Kondratiuk wrote:
When files on NFSv4 server are not properly labeled (label doesn't match
a policy on a client) they will end up with unlabeled_t type which is
too generic. We would like to be able to set a default context per
mount. 'defcontext' mount option looks
On 09/12/2018 09:26 AM, Ted Toth wrote:
On Wed, Sep 12, 2018 at 8:04 AM Stephen Smalley <mailto:s...@tycho.nsa.gov>> wrote:
On 09/11/2018 04:59 PM, Ted Toth wrote:
> That's awesome and now it's got me thinking about other
> classes/permissions that we
n .te/.if files. However, if you define a class/permission
in a .cil module, you can certainly specify a require on it and use it
from a conventional .te/.if module, ala:
$ cat > usemcstrans.te <On Tue, Sep 11, 2018 at 2:27 PM Stephen Smalley <mailto:s...@tycho.nsa.gov>> wrote:
On
On 09/11/2018 03:04 PM, Joe Nall wrote:
On Sep 11, 2018, at 1:29 PM, Stephen Smalley wrote:
On 09/11/2018 10:41 AM, Stephen Smalley wrote:
On 09/10/2018 06:30 PM, Ted Toth wrote:
mcstrans mcscolor.c also uses the same logic I'd been using to check dominance
so this too will no l
On 09/11/2018 03:29 PM, Stephen Smalley wrote:
On 09/11/2018 02:49 PM, Ted Toth wrote:
Yes I too noticed the translate permission but couldn't find any info
related to it intended purpose. Regarding CIL unfortunately I have
zero experience with it but I've installed the compiler a
se module. Try this:
$ cat > mcstrans.cil <Then try performing permission checks with "mcstrans" as your class and
"color_use" as your permission, between a domain and itself, with
different levels.
On Tue, Sep 11, 2018 at 1:27 PM Stephen Smalley <mailto:s...@tych
On 09/11/2018 10:41 AM, Stephen Smalley wrote:
On 09/10/2018 06:30 PM, Ted Toth wrote:
mcstrans mcscolor.c also uses the same logic I'd been using to check
dominance so this too will no longer function as expected on el7. Do
you any suggestions for doing a 'generic' (one not tie
On 09/11/2018 01:39 PM, Joshua Brindle wrote:
On Tue, Sep 11, 2018 at 1:33 PM, Stephen Smalley wrote:
On 09/11/2018 12:53 PM, Joshua Brindle wrote:
On Tue, Sep 11, 2018 at 10:41 AM, Stephen Smalley
wrote:
On 09/10/2018 06:30 PM, Ted Toth wrote:
mcstrans mcscolor.c also uses the same
On 09/11/2018 12:53 PM, Joshua Brindle wrote:
On Tue, Sep 11, 2018 at 10:41 AM, Stephen Smalley wrote:
On 09/10/2018 06:30 PM, Ted Toth wrote:
mcstrans mcscolor.c also uses the same logic I'd been using to check
dominance so this too will no longer function as expected on el7. Do yo
hanks.
On Mon, Sep 10, 2018 at 12:46 PM Stephen Smalley mailto:s...@tycho.nsa.gov>> wrote:
On 09/10/2018 01:13 PM, Ted Toth wrote:
> We currently have code running on el6 that does a MLS
dominance check by
> calling security_compute_av_raw with th
On 09/10/2018 01:13 PM, Ted Toth wrote:
We currently have code running on el6 that does a MLS dominance check by
calling security_compute_av_raw with the security object class
SECCLASS_CONTEXT with permission CONTEXT__CONTAINS as you can see in the
python code below. When I run this code on el6
On 09/05/2018 03:36 PM, Nicolas Iooss wrote:
Hello,
While reviewing the last patch sent by Vit Mojzis, I stumbled upon
something that does not feel right in "semanage user". Both "semanage
user --help" and "man 8 semanage-user" state:
usage: semanage user [-h] [-n] [-N] [-S STORE] [ --add ( -L
n by
other callers to perform caller-specific handling.
Fixes: 901ef845fa2469c ("selinux: allow per-file labeling for cgroupfs")
CC:
Reported-by: Dmitry Vyukov
Reported-by: Waiman Long
Signed-off-by: Stephen Smalley
---
security/selinux/hooks.c | 5 +
1 file changed, 5 inserti
On 09/04/2018 11:38 AM, Dmitry Vyukov wrote:
On Tue, Sep 4, 2018 at 5:28 PM, Stephen Smalley wrote:
So why not ask for help from the SELinux community? I've cc'd the selinux
list and a couple of folks involved in Debian selinux. I see a couple of
options but I don't know your
On 09/04/2018 11:02 AM, Dmitry Vyukov wrote:
On Tue, Sep 4, 2018 at 2:57 PM, Stephen Smalley wrote:
wrote:
Hello,
syzbot found the following crash on:
HEAD commit:817e60a7a2bb Merge branch 'nfp-add-NFP5000-support'
git tree: net-next
console out
On 08/31/2018 06:38 PM, Dmitry Vyukov wrote:
On Fri, Aug 31, 2018 at 9:17 AM, Stephen Smalley wrote:
On 08/31/2018 12:16 PM, Stephen Smalley wrote:
On 08/31/2018 12:07 PM, Paul Moore wrote:
On Fri, Aug 31, 2018 at 12:01 PM Stephen Smalley
wrote:
On 08/29/2018 10:21 PM, Dmitry Vyukov
On 08/29/2018 12:58 AM, Paul Moore wrote:
On Tue, Aug 28, 2018 at 5:32 PM Micah Morton wrote:
The security_sb_copy_data LSM hook allows LSMs to copy custom string
name/value args passed to mount_fs() into a temporary buffer (called
"secdata") that will be accessible to LSM code during the
secur
On 08/20/2018 10:02 AM, Stephen Smalley wrote:
On 08/20/2018 02:29 AM, Sachin Grover wrote:
Hi,
My POC uses fscreate() to modify the current SELinux context of the
running process, it then creates a new node via mknod(), (), which is
then going to assign the current SLEinux context over to
On 08/20/2018 12:59 PM, Schaufler, Casey wrote:
-Original Message-
From: Stephen Smalley [mailto:s...@tycho.nsa.gov]
Sent: Monday, August 20, 2018 9:03 AM
To: Schaufler, Casey ; kernel-
harden...@lists.openwall.com; linux-ker...@vger.kernel.org; linux-security-
mod...@vger.kernel.org
On 08/17/2018 06:16 PM, Casey Schaufler wrote:
SELinux considers tasks to be side-channel safe if they
have PROCESS_SHARE access.
Now the description and the code no longer match.
Signed-off-by: Casey Schaufler
---
security/selinux/hooks.c | 9 +
1 file changed, 9 insertions(+)
On 08/20/2018 02:29 AM, Sachin Grover wrote:
Hi,
My POC uses fscreate() to modify the current SELinux context of the
running process, it then creates a new node via mknod(), (), which is
then going to assign the current SLEinux context over to that object.
In the call path I am seeing securi
On 08/15/2018 07:53 PM, Casey Schaufler wrote:
SELinux considers tasks to be side-channel safe if they
have PROCESS_SHARE access.
Signed-off-by: Casey Schaufler
---
security/selinux/hooks.c | 9 +
1 file changed, 9 insertions(+)
diff --git a/security/selinux/hooks.c b/security/selin
->len can only be
strlen(context->str)+1 AFAICS. What am I missing?
From: Stephen Smalley
Sent: Monday 13 August, 18:05
Subject: Re: Possible OOB Read in Kernel Heap Memory in call to
ext4_xattr_set_entry()
To: Sachin Grover, selinux@tycho.nsa.gov, Paul Moore
On 08/13/2018 08
On 08/13/2018 08:23 AM, Stephen Smalley wrote:
On 08/13/2018 01:19 AM, Sachin Grover wrote:
Hi Stephen/Paul,
This issue was discovered using
https://android.googlesource.com/kernel/common -b android-4.9-o, but
I've verified the code path exists in msm-4.4. It likely exists in
other k
On 08/13/2018 01:19 AM, Sachin Grover wrote:
Hi Stephen/Paul,
This issue was discovered using
https://android.googlesource.com/kernel/common -b android-4.9-o, but
I've verified the code path exists in msm-4.4. It likely exists in other
kernel versions as well.
As a privileged user, one can
fusermount.
This patch does not change the behavior when the policy does not have MLS
enabled.
Signed-off-by: Jann Horn
Acked-by: Stephen Smalley
---
security/selinux/ss/mls.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/security/selinux/ss/mls.c b/security/selinux/ss/m
On 07/13/2018 10:26 AM, Laurent Bigonville wrote:
> Le 13/07/18 à 16:19, Laurent Bigonville a écrit :
>> Le 10/07/18 à 17:58, Stephen Smalley a écrit :
>>> On 07/10/2018 11:40 AM, Stephen Smalley wrote:
>>>> On 07/09/2018 04:20 PM, Nicolas Iooss wrote:
>>&g
vid Howells
> cc: Paul Moore
> cc: Stephen Smalley
> cc: selinux@tycho.nsa.gov
> cc: linux-security-mod...@vger.kernel.org
> ---
>
> security/selinux/hooks.c | 264
> ++
> 1 file changed, 264 insertions(+)
>
> di
On 07/10/2018 10:00 AM, Mclain, Warren wrote:
> I am trying to find a solution for blocking the mounting of / from
> containers. This is a major security hole for Docker and all of those types
> of applications.
>
>
>
> I found the mount_anyfile Boolean but nothing that digs into that to sho
On 07/10/2018 11:40 AM, Stephen Smalley wrote:
> On 07/09/2018 04:20 PM, Nicolas Iooss wrote:
>> Hello,
>>
>> While testing a systemd update on Arch Linux, I encountered the
>> following message (in a Vagrant virtual machine):
>>
>> # semanage fcontext
On 07/09/2018 04:20 PM, Nicolas Iooss wrote:
> Hello,
>
> While testing a systemd update on Arch Linux, I encountered the
> following message (in a Vagrant virtual machine):
>
> # semanage fcontext -m -s sysadm_u -t user_home_t '/vagrant(/.*)?'
> libsemanage.get_home_dirs: Error while fetching us
On 06/18/2018 01:22 PM, Vit Mojzis wrote:
> semanage_seuser_modify_local and semanage_seuser_del_local already do
> the logging.
> Moreover, semanage log for loginRecords.__add was flawed since it
> reported old-{seuser,role,range} of default user instead of None. This
> was caused by selinux.getse
On 06/26/2018 04:43 AM, Yan, Zheng wrote:
> This is preparation for CephFS security label. CephFS's implementation uses
> dentry_init_security() to get security context before inode is created,
> then sends open/mkdir/mknod request to MDS, together with security xattr
> "security."
Can you describ
On 06/26/2018 08:42 AM, Jann Horn wrote:
> On Tue, Jun 26, 2018 at 2:15 PM Stephen Smalley wrote:
>>
>> On 06/25/2018 12:34 PM, Jann Horn wrote:
>>> If a user is accessing a file in selinuxfs with a pointer to a userspace
>>> buffer that is backed by e.g. a user
.
>
> Cc: sta...@vger.kernel.org
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Signed-off-by: Jann Horn
Only question I have is wrt the Fixes line, i.e. was this an issue until
userfaultfd was introduced, and if not,
do we need it to be back-ported any further than the commit wh
On 06/18/2018 04:33 PM, Mike Hughes wrote:
>> -Original Message-
>> From: Stephen Smalley
>> Sent: Monday, June 18, 2018 15:28
>> To: Mike Hughes ; selinux@tycho.nsa.gov
>> Subject: Re: 'setsebool -P' works but throws errors; changes not permanent
&
On 06/18/2018 03:44 PM, Mike Hughes wrote:
> We use Yubikey for two-factor ssh authentication which requires enabling a
> Boolean called “authlogin_yubikey”. It has been working fine until a few
> weeks ago. Errors appear when attempting to set the policy:
>
>
>
> --
>
> [Cent-7:root@my_serv
On 06/18/2018 03:24 PM, Petr Lautrbach wrote:
> Hello,
>
> libselinux sets selinut_mnt and has_selinux_config only in its constructor and
> is_selinux_enabled() and others just use selinux_mnt to check if SELinux is
> enabled. But it doesn't work correctly when you use chroot() to a directory
> w
On 06/09/2018 03:30 PM, Nicolas Iooss wrote:
> Signed-off-by: Nicolas Iooss
Thanks, applied all three.
> ---
> libsepol/cil/src/cil_resolve_ast.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/libsepol/cil/src/cil_resolve_ast.c
> b/libsepol/cil/src/cil_resolve_ast.c
On 06/09/2018 04:08 PM, Nicolas Iooss wrote:
> Using clang's static analyzer is as simple as running "scan-build make",
> but in order to obtain clean and reproducible results, the build
> environment has to be cleaned beforehand ("make clean distclean").
>
> Moreover the project requires running
On 06/03/2018 12:25 PM, Nicolas Iooss wrote:
> pp's main() never set outfd to anything else than -1 so there is no
> point in closing it.
Thanks, applied all four patches.
>
> Signed-off-by: Nicolas Iooss
> ---
> policycoreutils/hll/pp/pp.c | 7 ---
> 1 file changed, 7 deletions(-)
>
> di
On 06/01/2018 09:03 AM, Russell Coker via Selinux wrote:
> The command "reboot -nffd" (kernel reboot without flushing kernel buffers or
> writing status) when run on a BTRFS system will often result in
> /var/log/audit/audit.log being unlabeled. It also results in some
> systemd-journald files l
On 05/31/2018 10:21 AM, Stephen Smalley wrote:
> On 05/31/2018 10:12 AM, peter enderborg wrote:
>> On 05/31/2018 02:42 PM, Stephen Smalley wrote:
>>> On 05/31/2018 05:04 AM, peter enderborg wrote:
>>>> On 05/30/2018 10:34 PM, Stephen Smalley wrote:
>>>>
On 05/31/2018 10:12 AM, peter enderborg wrote:
> On 05/31/2018 02:42 PM, Stephen Smalley wrote:
>> On 05/31/2018 05:04 AM, peter enderborg wrote:
>>> On 05/30/2018 10:34 PM, Stephen Smalley wrote:
>>>> On 05/30/2018 10:10 AM, Peter Enderborg wrote:
>>>>>
On 05/31/2018 05:04 AM, peter enderborg wrote:
> On 05/30/2018 10:34 PM, Stephen Smalley wrote:
>> On 05/30/2018 10:10 AM, Peter Enderborg wrote:
>>> The boolean change becomes a lot more heavy with this patch,
>>> but it is a very rare usage in compare with read only op
On 05/30/2018 10:10 AM, Peter Enderborg wrote:
> Holding the preempt_disable is very bad for low latency tasks
> such as audio and therefore we need to break out the rule-set dependent
> part from this disable. By using a RCU instead of rwlock we
> have an efficient locking and less preemption inte
On 05/30/2018 11:19 AM, Paul Moore wrote:
> On Fri, May 25, 2018 at 4:31 AM, Sachin Grover wrote:
>> Call trace:
>> [] dump_backtrace+0x0/0x428
>> [] show_stack+0x28/0x38
>> [] dump_stack+0xd4/0x124
>> [] print_address_description+0x68/0x258
>> [] kasan_report.part.2+0x228/0x2f0
>> [] kasan_
On 05/29/2018 02:28 PM, Stephen Smalley wrote:
> On 05/29/2018 11:19 AM, Laurent Bigonville wrote:
>> Hello,
>>
>> While packaging policycoreutils 2.8 I've seen that the fixfiles and
>> load_policy executables were moved from /sbin to /usr/sbin
>>
>> An
On 05/29/2018 11:19 AM, Laurent Bigonville wrote:
> Hello,
>
> While packaging policycoreutils 2.8 I've seen that the fixfiles and
> load_policy executables were moved from /sbin to /usr/sbin
>
> Any reasons for this? This seems to me like an involuntary side effect of the
> cleanup for DESTDIR
On 05/29/2018 07:39 AM, bhawna goel wrote:
> Hi Team,
>
> We are getting below error while creating policies using command
> audit2allow.orig. Can you help in identifying what could be the possible
> reason of such error.
>
> Error:
> libsepol.context_from_record: invalid security context:
> "
On 05/25/2018 04:08 AM, bhawna goel wrote:
> Hi Team,
>
> We are facing an issue with load_policy command on Centos 7.4.. Need to
> understand what it exactly does.
>
> We have Centos 7.4 machine which have two partitions .
> Ist partition (partA) have all the policies with unconfined and when w
The 20180524 / 2.8 release for the SELinux userspace is now available at:
https://github.com/SELinuxProject/selinux/wiki/Releases
A github release has also been created at:
https://github.com/SELinuxProject/selinux/releases/tag/20180524
In the future, we will likely stop hosting the releases on t
On 05/24/2018 01:48 AM, shagun maheshwari wrote:
> Hi,
>
> We have done changes in our Centos7.4 to disable the unconfined user from our
> code. We have created an iso in which we have replaced unconfined with sysadm
> and we are performing an upgrade using the new iso.
> After upgrade current
On 05/24/2018 02:12 AM, Sachin Grover wrote:
> Hi,
>
> Kernel panic is coming on calling lgetxattr() sys api with random user space
> value.
>
> [ 25.833951] Call trace:
> [ 25.833954] [] dump_backtrace+0x0/0x2a8
> [ 25.833957] [] show_stack+0x20/0x28
> [ 25.833959] [] dump_stack+0xa8/0x
assume we
can make a final 2.8 release anytime.
If anyone objects, speak up now.
>
> On Thu, May 10, 2018 at 11:20:01AM -0400, Stephen Smalley wrote:
>> A 2.8-rc3 release candidate for the SELinux userspace is now available at:
>> https://github.com/SELinuxProject/selinux/wiki/Rele
1 - 100 of 1507 matches
Mail list logo