Re: [PATCH v3 1/7] selinux: Remove unused variable in selinux_inode_init_security

On 10/26/2015 05:15 PM, Andreas Gruenbacher wrote: Signed-off-by: Andreas Gruenbacher Acked-by: Stephen Smalley --- security/selinux/hooks.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c

Re: [PATCH v3 0/7] Inode security label invalidation

On 10/26/2015 05:15 PM, Andreas Gruenbacher wrote: Here is another version of the patch queue to make gfs2 and similar file systems work with SELinux. As suggested by Stephen Smalley [*], the relevant uses of inode->security are wrapped in function calls that try to revalidate invalid labels.

[PATCH v3 5/7] security: Add hook to invalidate inode security labels

Add a hook to invalidate an inode's security label when the cached information becomes invalid. Implement the new hook in selinux: set a flag when a security label becomes invalid. When hitting a security label which has been marked as invalid in inode_has_perm, try reloading the label. If an

[PATCH v3 2/7] selinux: Add accessor functions for inode->i_security

Add functions dentry_security and inode_security for accessing inode->i_security. These functions initially don't do much, but they will later be used to revalidate the security labels when necessary. Signed-off-by: Andreas Gruenbacher --- security/selinux/hooks.c | 101

[PATCH v3 6/7] selinux: Revalidate invalid inode security labels

When fetching inode's security label, check if they are still valid, and try reloading invalid labels. Reloading will fail when we are in RCU context which doesn't allow sleeping, or when we can't find a dentry for the inode. (Reloading happens via iop->getxattr which takes a dentry parameter.)

[PATCH] selinux: export validatetrans decisions

Make validatetrans decisions available through selinuxfs. "/transition" is added to selinuxfs for this purpose. This functionality is needed by file system servers implemented in userspace or kernelspace without the VFS layer. Writing "$oldcontext $newcontext $tclass $taskcontext" to /transition

Re: [PATCH] fix memory leaks and uninitialized jump

On 10/26/2015 02:42 PM, Roberts, William C wrote: Shouldn't; compat_validate(rec, _arr[nspec].lr, path, lineno); in process_line() cause a failure? Right now the return code is being ignored. I think it is historical. Originally we had it bail on error. Red Hat had problems with that

Re: [PATCH v3 2/7] selinux: Add accessor functions for inode->i_security

On 10/26/2015 05:15 PM, Andreas Gruenbacher wrote: Add functions dentry_security and inode_security for accessing inode->i_security. These functions initially don't do much, but they will later be used to revalidate the security labels when necessary. Signed-off-by: Andreas Gruenbacher

Re: [PATCH] sepolgen: Reset line numbers when parsing files

On 10/24/2015 02:43 PM, Nicolas Iooss wrote: When running sepolgen-ifgen on refpolicy (git master branch), the following messages show up: /usr/share/selinux/refpolicy/include/kernel/selinux.if: Syntax error on line 3369 gen_context [type=GEN_CONTEXT]

Re: [PATCH] selinux: export validatetrans decisions

On 10/27/2015 01:07 PM, Andrew Perepechko wrote: Make validatetrans decisions available through selinuxfs. "/transition" is added to selinuxfs for this purpose. This functionality is needed by file system servers implemented in userspace or kernelspace without the VFS layer. Writing

Re: [PATCH] selinux: export validatetrans decisions

Hi Stephen! Thank you for your the response. On Tuesday 27 Oct 2015 14:15:44 Stephen Smalley wrote: > Follow the example of security_transition_sid(), i.e. introduce a _user > interface() and re-factor the existing security_validate_transition() > into a common helper that takes a bool argument.

Re: [PATCH] selinux: export validatetrans decisions

On Tuesday 27 Oct 2015 14:46:29 Stephen Smalley wrote: > >> Why PAGE_SIZE-1? > > > > This is to avoid allocation of more than a single page. > > Yes, but you don't need PAGE_SIZE - 1 for that. The check can just be > > >= PAGE_SIZE, as used elsewhere in selinuxfs.c. A sequence of bytes

Re: [PATCH] selinux: export validatetrans decisions

Ah, you meant that it should be either > PAGE_SIZE - 1 or >= PAGE_SIZE, which are the same. I'll fix that. On Tuesday 27 Oct 2015 22:25:50 Andrew Perepechko wrote: > On Tuesday 27 Oct 2015 14:46:29 Stephen Smalley wrote: > > >> Why PAGE_SIZE-1? > > > > > > This is to avoid allocation of more

Re: [PATCH v2] fix memory leaks and uninitialized jump

On 10/27/2015 02:49 PM, william.c.robe...@intel.com wrote: From: William Roberts Subject line after [PATCH] should start with "libselinux: label_file:" or similar prefix identifying affected component. Some error's were reported by valgrind (below) fix them.