On 10/26/2015 05:15 PM, Andreas Gruenbacher wrote:
Signed-off-by: Andreas Gruenbacher
Acked-by: Stephen Smalley
---
security/selinux/hooks.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
On 10/26/2015 05:15 PM, Andreas Gruenbacher wrote:
Here is another version of the patch queue to make gfs2 and similar file
systems work with SELinux. As suggested by Stephen Smalley [*], the relevant
uses of inode->security are wrapped in function calls that try to revalidate
invalid labels.
Add a hook to invalidate an inode's security label when the cached
information becomes invalid.
Implement the new hook in selinux: set a flag when a security label becomes
invalid. When hitting a security label which has been marked as invalid in
inode_has_perm, try reloading the label.
If an
Add functions dentry_security and inode_security for accessing
inode->i_security. These functions initially don't do much, but they
will later be used to revalidate the security labels when necessary.
Signed-off-by: Andreas Gruenbacher
---
security/selinux/hooks.c | 101
When fetching inode's security label, check if they are still valid, and try
reloading invalid labels. Reloading will fail when we are in RCU context which
doesn't allow sleeping, or when we can't find a dentry for the inode.
(Reloading happens via iop->getxattr which takes a dentry parameter.)
Make validatetrans decisions available through selinuxfs.
"/transition" is added to selinuxfs for this purpose.
This functionality is needed by file system servers
implemented in userspace or kernelspace without the VFS
layer.
Writing "$oldcontext $newcontext $tclass $taskcontext"
to /transition
On 10/26/2015 02:42 PM, Roberts, William C wrote:
Shouldn't;
compat_validate(rec, _arr[nspec].lr, path, lineno);
in process_line() cause a failure? Right now the return code is being ignored.
I think it is historical. Originally we had it bail on error. Red Hat
had problems with that
On 10/26/2015 05:15 PM, Andreas Gruenbacher wrote:
Add functions dentry_security and inode_security for accessing
inode->i_security. These functions initially don't do much, but they
will later be used to revalidate the security labels when necessary.
Signed-off-by: Andreas Gruenbacher
On 10/24/2015 02:43 PM, Nicolas Iooss wrote:
When running sepolgen-ifgen on refpolicy (git master branch), the
following messages show up:
/usr/share/selinux/refpolicy/include/kernel/selinux.if: Syntax error
on line 3369 gen_context [type=GEN_CONTEXT]
On 10/27/2015 01:07 PM, Andrew Perepechko wrote:
Make validatetrans decisions available through selinuxfs.
"/transition" is added to selinuxfs for this purpose.
This functionality is needed by file system servers
implemented in userspace or kernelspace without the VFS
layer.
Writing
Hi Stephen!
Thank you for your the response.
On Tuesday 27 Oct 2015 14:15:44 Stephen Smalley wrote:
> Follow the example of security_transition_sid(), i.e. introduce a _user
> interface() and re-factor the existing security_validate_transition()
> into a common helper that takes a bool argument.
On Tuesday 27 Oct 2015 14:46:29 Stephen Smalley wrote:
> >> Why PAGE_SIZE-1?
> >
> > This is to avoid allocation of more than a single page.
>
> Yes, but you don't need PAGE_SIZE - 1 for that. The check can just be
>
> >= PAGE_SIZE, as used elsewhere in selinuxfs.c.
A sequence of bytes
Ah, you meant that it should be either > PAGE_SIZE - 1 or >= PAGE_SIZE,
which are the same. I'll fix that.
On Tuesday 27 Oct 2015 22:25:50 Andrew Perepechko wrote:
> On Tuesday 27 Oct 2015 14:46:29 Stephen Smalley wrote:
> > >> Why PAGE_SIZE-1?
> > >
> > > This is to avoid allocation of more
On 10/27/2015 02:49 PM, william.c.robe...@intel.com wrote:
From: William Roberts
Subject line after [PATCH] should start with "libselinux: label_file:"
or similar prefix identifying affected component.
Some error's were reported by valgrind (below) fix them.
14 matches
Mail list logo