Re: [PATCH] libselinux: Replace selabel_digest hash function

2015-10-21 Thread Stephen Smalley
On 10/21/2015 11:35 AM, Richard Haines wrote: This replaces the openssl library with SHA1 hash functions extracted from [1] as this is a public domain implementation. util/selabel_digest -v option still compares the result with the openssl command "openssl dgst -sha1 -hex .." for validation.

Re: [PATCH v3 1/7] selinux: Remove unused variable in selinux_inode_init_security

2015-10-27 Thread Stephen Smalley
On 10/26/2015 05:15 PM, Andreas Gruenbacher wrote: Signed-off-by: Andreas Gruenbacher <agrue...@redhat.com> Acked-by: Stephen Smalley <s...@tycho.nsa.gov> --- security/selinux/hooks.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/security/selinux/hooks.c b/security/sel

Re: [PATCH v3 0/7] Inode security label invalidation

2015-10-27 Thread Stephen Smalley
On 10/26/2015 05:15 PM, Andreas Gruenbacher wrote: Here is another version of the patch queue to make gfs2 and similar file systems work with SELinux. As suggested by Stephen Smalley [*], the relevant uses of inode->security are wrapped in function calls that try to revalidate invalid lab

Re: [PATCH] Load libsepol.so.1 instead of libsepol.so

2015-10-28 Thread Stephen Smalley
On 10/27/2015 06:41 PM, Laurent Bigonville wrote: From: Laurent Bigonville libsepol.so symlink is usually part of the development package, try to load the library directly instead. Thanks, applied. Next time, please remember to add your Signed-off-by and include a

Re: [PATCH v3] libselinux: label_file: fix memory leaks and uninitialized jump

2015-10-28 Thread Stephen Smalley
On 10/27/2015 05:50 PM, william.c.robe...@intel.com wrote: From: William Roberts Some error's were reported by valgrind (below) fix them. The test cases on which these leaks were detected: 1. properly formed file_contexts file. 2. malformed file_contexts file,

Re: [PATCH v3] selinux: export validatetrans decisions

2015-10-29 Thread Stephen Smalley
. Writing "$oldcontext $newcontext $tclass $taskcontext" to /validatetrans is expected to return 0 if the transition is allowed and -EPERM otherwise. Signed-off-by: Andrew Perepechko <anser...@ya.ru> Acked-by: Stephen Smalley <s...@tycho.nsa.gov> CC: andrew.perepec...@seagate.co

Re: [PATCH v4 6/7] selinux: Revalidate invalid inode security labels

2015-10-29 Thread Stephen Smalley
happens via iop->getxattr which takes a dentry parameter.) When reloading fails, continue using the old, invalid label. Signed-off-by: Andreas Gruenbacher <agrue...@redhat.com> Could probably use inode_security_novalidate() for all of the SOCK_INODE() cases, right? Otherwise, Acked-by

Re: [PATCH v4 3/7] security: Make inode argument of inode_getsecid non-const

2015-10-29 Thread Stephen Smalley
On 10/28/2015 08:47 PM, Andreas Gruenbacher wrote: Make the inode argument of the inode_getsecid hook non-const so that we can use it to revalidate invalid security labels. Signed-off-by: Andreas Gruenbacher <agrue...@redhat.com> Acked-by: Stephen Smalley <s...@tycho.nsa.gov> -

Re: [PATCH v4 2/7] security: Make inode argument of inode_getsecurity non-const

2015-10-29 Thread Stephen Smalley
On 10/28/2015 08:47 PM, Andreas Gruenbacher wrote: Make the inode argument of the inode_getsecurity hook non-const so that we can use it to revalidate invalid security labels. Signed-off-by: Andreas Gruenbacher <agrue...@redhat.com> Acked-by: Stephen Smalley <s...@tych

Re: [PATCH v4 5/7] security: Add hook to invalidate inode security labels

2015-10-29 Thread Stephen Smalley
viewed-by: James Morris <james.l.mor...@oracle.com> Acked-by: Stephen Smalley <s...@tycho.nsa.gov> --- include/linux/lsm_hooks.h | 6 ++ include/linux/security.h | 5 + security/security.c | 8 security/selinux/hoo

Re: [PATCH] fix memory leaks and uninitialized jump

2015-10-27 Thread Stephen Smalley
On 10/26/2015 02:42 PM, Roberts, William C wrote: Shouldn't; compat_validate(rec, _arr[nspec].lr, path, lineno); in process_line() cause a failure? Right now the return code is being ignored. I think it is historical. Originally we had it bail on error. Red Hat had problems with that

Re: [PATCH v3 2/7] selinux: Add accessor functions for inode->i_security

2015-10-27 Thread Stephen Smalley
On 10/26/2015 05:15 PM, Andreas Gruenbacher wrote: Add functions dentry_security and inode_security for accessing inode->i_security. These functions initially don't do much, but they will later be used to revalidate the security labels when necessary. Signed-off-by: Andreas Gruenbacher

Re: [PATCH] sepolgen: Reset line numbers when parsing files

2015-10-27 Thread Stephen Smalley
On 10/24/2015 02:43 PM, Nicolas Iooss wrote: When running sepolgen-ifgen on refpolicy (git master branch), the following messages show up: /usr/share/selinux/refpolicy/include/kernel/selinux.if: Syntax error on line 3369 gen_context [type=GEN_CONTEXT]

Re: [PATCH] selinux: export validatetrans decisions

2015-10-27 Thread Stephen Smalley
On 10/27/2015 01:07 PM, Andrew Perepechko wrote: Make validatetrans decisions available through selinuxfs. "/transition" is added to selinuxfs for this purpose. This functionality is needed by file system servers implemented in userspace or kernelspace without the VFS layer. Writing

Re: [PATCH v2] fix memory leaks and uninitialized jump

2015-10-27 Thread Stephen Smalley
On 10/27/2015 02:49 PM, william.c.robe...@intel.com wrote: From: William Roberts Subject line after [PATCH] should start with "libselinux: label_file:" or similar prefix identifying affected component. Some error's were reported by valgrind (below) fix them.

Re: [PATCH v3 3/7] selinux: Get rid of file_path_has_perm

2015-10-28 Thread Stephen Smalley
On 10/28/2015 07:48 AM, Andreas Gruenbacher wrote: > On Tue, Oct 27, 2015 at 5:40 PM, Stephen Smalley <s...@tycho.nsa.gov> wrote: >> On 10/26/2015 05:15 PM, Andreas Gruenbacher wrote: >>> >>> Use path_has_perm directly instead. &g

Re: [PATCH v3 3/7] selinux: Get rid of file_path_has_perm

2015-10-28 Thread Stephen Smalley
On 10/28/2015 01:31 PM, Stephen Smalley wrote: On 10/28/2015 07:48 AM, Andreas Gruenbacher wrote: On Tue, Oct 27, 2015 at 5:40 PM, Stephen Smalley <s...@tycho.nsa.gov> wrote: On 10/26/2015 05:15 PM, Andreas Gruenbacher wrote: Use path_has_perm directly instead. This reverts:

Re: [PATCH V2] libselinux: Replace selabel_digest hash function

2015-10-22 Thread Stephen Smalley
On 10/22/2015 07:19 AM, Richard Haines wrote: This replaces the openssl library with SHA1 hash functions extracted from [1] as this is a public domain implementation. util/selabel_digest -v option still compares the result with the openssl command "openssl dgst -sha1 -hex .." for validation.

Re: get_default_context() hit the SIMPLE_TRANSACTION_LIMIT

2015-11-09 Thread Stephen Smalley
On 11/09/2015 08:43 AM, Miroslav Grepl wrote: We are trying to get pam_selinux + systemd-user working on Fedora Rawhide to avoid systemd-user running with init_t. The problem is with init_t domain which is unconfined domain by default on Fedora. echo -n system_u:system_r:init_t:s0 unconfined_u

Re: neverallow rules and self negation

2015-11-09 Thread Stephen Smalley
On 11/07/2015 11:29 PM, Nick Kralevich wrote: Consider the following rules: attribute foo; type asdf, foo; type asdf2, foo; allow asdf self:dir search; neverallow foo { foo -self }:dir search; This particular policy fails to compile with the following error:

Re: selinux-testsuite: mmap execmod test failure on RHEL6.7 s390x

2015-11-05 Thread Stephen Smalley
On 11/05/2015 08:27 AM, Jan Stancek wrote: - Original Message - From: "Paul Moore" <p...@paul-moore.com> To: "Stephen Smalley" <s...@tycho.nsa.gov> Cc: "Jan Stancek" <jstan...@redhat.com>, selinux@tycho.nsa.gov Sent: Wednesday, 4

Re: selinux-testsuite: mmap execmod test failure on RHEL6.7 s390x

2015-11-04 Thread Stephen Smalley
On 11/04/2015 11:49 AM, Jan Stancek wrote: Hi, I'm seeing one of mmap tests failing on RHEL6.7. Strange is that it fails only on s390x, all other arches are PASSing. setsebool allow_execmod is set to "0" Running as user root with context unconfined_u:unconfined_r:unconfined_t:

Re: selinux-testsuite: mmap execmod test failure on RHEL6.7 s390x

2015-11-05 Thread Stephen Smalley
On 11/05/2015 10:45 AM, Jan Stancek wrote: - Original Message - From: "Stephen Smalley" <s...@tycho.nsa.gov> To: "Jan Stancek" <jstan...@redhat.com>, "Paul Moore" <p...@paul-moore.com> Cc: selinux@tycho.nsa.gov Sent: Thursday,

Re: Wrong audit message type when policy is reloaded

2015-11-06 Thread Stephen Smalley
On 11/06/2015 11:10 AM, Laurent Bigonville wrote: Hi, When the policy is reloaded, systemd and dbus are sending a USER_AVC audit event instead of a USER_MAC_POLICY_LOAD one. Looking at an other object manager (the xserver) it uses the following code:

Re: does load_policy default to loading the lowest polvers available?

2015-10-14 Thread Stephen Smalley
On 10/14/2015 10:29 AM, Dominick Grift wrote: On Wed, Oct 14, 2015 at 10:17:04AM -0400, Stephen Smalley wrote: On 10/14/2015 10:11 AM, Dominick Grift wrote: On Wed, Oct 14, 2015 at 09:56:04AM -0400, Stephen Smalley wrote: On 10/14/2015 09:34 AM, Dominick Grift wrote: I had some issue

Re: does load_policy default to loading the lowest polvers available?

2015-10-14 Thread Stephen Smalley
On 10/14/2015 10:11 AM, Dominick Grift wrote: On Wed, Oct 14, 2015 at 09:56:04AM -0400, Stephen Smalley wrote: On 10/14/2015 09:34 AM, Dominick Grift wrote: I had some issue that just confused me (to say the least) It seems that I have now solved this. There were two policy.X files in my

Re: does load_policy default to loading the lowest polvers available?

2015-10-14 Thread Stephen Smalley
On 10/14/2015 11:48 AM, Dominick Grift wrote: On Wed, Oct 14, 2015 at 11:44:00AM -0400, Stephen Smalley wrote: On 10/14/2015 10:29 AM, Dominick Grift wrote: On Wed, Oct 14, 2015 at 10:17:04AM -0400, Stephen Smalley wrote: On 10/14/2015 10:11 AM, Dominick Grift wrote: On Wed, Oct 14, 2015

Re: does load_policy default to loading the lowest polvers available?

2015-10-14 Thread Stephen Smalley
On 10/14/2015 01:38 PM, Dominick Grift wrote: On Wed, Oct 14, 2015 at 07:34:16PM +0200, Dominick Grift wrote: Setools(4) doesnt work with my policy (it can't deal with cil namespaces seemingly, and returns non-sense) Besides. did you know that setools (4) does not use

Re: does load_policy default to loading the lowest polvers available?

2015-10-14 Thread Stephen Smalley
On 10/14/2015 01:34 PM, Dominick Grift wrote: On Wed, Oct 14, 2015 at 12:53:06PM -0400, Stephen Smalley wrote: On 10/14/2015 12:41 PM, Dominick Grift wrote: On Wed, Oct 14, 2015 at 12:05:27PM -0400, Stephen Smalley wrote: AFAIK, systemd just calls selinux_init_load_policy() in libselinux

Re: did libselinux grow a new build dependency? (openssl-devel: openssl.h)

2015-10-19 Thread Stephen Smalley
On 10/19/2015 02:09 PM, Stephen Smalley wrote: On 10/18/2015 11:00 AM, Richard Haines wrote: On Sunday, 18 October 2015, 15:07, Dominick Grift <dac.overr...@gmail.com> wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On Sun, Oct 18, 2015 at 12:48:12PM +, Richard Haines

Re: did libselinux grow a new build dependency? (openssl-devel: openssl.h)

2015-10-19 Thread Stephen Smalley
On 10/18/2015 11:00 AM, Richard Haines wrote: On Sunday, 18 October 2015, 15:07, Dominick Grift wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On Sun, Oct 18, 2015 at 12:48:12PM +, Richard Haines wrote: I added openssl to libselinux to support the

Re: [RFC PATCH v3 2/5] lsm: introduce hooks for kdbus

2015-10-20 Thread Stephen Smalley
On Mon, Oct 19, 2015 at 6:29 PM, Paul Moore <pmo...@redhat.com> wrote: > On Friday, October 09, 2015 10:56:12 AM Stephen Smalley wrote: >> On 10/07/2015 07:08 PM, Paul Moore wrote: >> > diff --git a/ipc/kdbus/connection.c b/ipc/kdbus/connection.c >> > index ef63d

Re: does load_policy default to loading the lowest polvers available?

2015-10-14 Thread Stephen Smalley
On 10/14/2015 12:41 PM, Dominick Grift wrote: On Wed, Oct 14, 2015 at 12:05:27PM -0400, Stephen Smalley wrote: AFAIK, systemd just calls selinux_init_load_policy() in libselinux (aka load_policy -i). And the approach to selecting a policy version has been stable for quite a while, so I

Re: does load_policy default to loading the lowest polvers available?

2015-10-14 Thread Stephen Smalley
On 10/14/2015 09:34 AM, Dominick Grift wrote: I had some issue that just confused me (to say the least) It seems that I have now solved this. There were two policy.X files in my /etc/selinux/SELINUXTYPE/policy dir, on 29 an one 30. The 29 seemingly had a bug in it. It seems that load_policy

Re: did libselinux grow a new build dependency? (openssl-devel: openssl.h)

2015-10-20 Thread Stephen Smalley
On 10/20/2015 09:42 AM, Joshua Brindle wrote: Stephen Smalley wrote: Wondering if dependency on openssl might be a license issue for Debian or others. Apparently openssl license is considered GPL-incompatible [1] [2], and obviously libselinux is linked by a variety of GPL-licensed programs

Re: did libselinux grow a new build dependency? (openssl-devel: openssl.h)

2015-10-20 Thread Stephen Smalley
On 10/20/2015 08:27 AM, Richard Haines wrote: On Monday, 19 October 2015, 19:10, Stephen Smalley <s...@tycho.nsa.gov> wrote: On 10/18/2015 11:00 AM, Richard Haines wrote: On Sunday, 18 October 2015, 15:07, Dominick Grift <dac.overr...@gmail.com> wrote: -BEGI

Re: [PATCH] security: selinux: Use a kmem_cache for allocation struct file_security_struct

2015-10-07 Thread Stephen Smalley
e | Slack Size | Allocation Count > --- > 770048 |192512| 577536 | 12032 > > At the result, this change reduce memory usage 42bytes per each > file_security_struct > > Signed-off-by: Sangwoo <sangwoo2.p...

Re: [PATCH v2 1/2] security: Add hook to invalidate inode security labels

2015-10-06 Thread Stephen Smalley
On 10/05/2015 05:56 PM, Andreas Gruenbacher wrote: > On Mon, Oct 5, 2015 at 5:08 PM, Stephen Smalley <s...@tycho.nsa.gov> wrote: >> Not fond of these magic initialized values. > > That should be a solvable problem. > >> Is it always safe to call i

Re: [RFC PATCH v3 5/5] selinux: introduce kdbus access controls

2015-10-09 Thread Stephen Smalley
On 10/09/2015 11:39 AM, Paul Moore wrote: On Friday, October 09, 2015 11:05:58 AM Stephen Smalley wrote: On 10/07/2015 07:08 PM, Paul Moore wrote: +static int selinux_kdbus_init_inode(struct inode *inode, + const struct cred *creds) +{ + struct

Re: [PATCH] libselinux: Fix parallel build with swig python

2015-10-13 Thread Stephen Smalley
On 10/10/2015 05:09 AM, Jason Zaman wrote: Commit 966855d9a1f7b758 added selinux.py as a requirement for pywrap. This file is generated during the swig step but there is no explicit rule in the Makefile so parallel build fails. This adds another rule so the ordering is correct. jason@meriadoc

Re: [RFC PATCH V3] libselinux: Add selabel_digest function

2015-10-13 Thread Stephen Smalley
On 10/12/2015 08:26 AM, Richard Haines wrote: On Friday, 9 October 2015, 20:46, Stephen Smalley <s...@tycho.nsa.gov> wrote: On 09/30/2015 11:29 AM, Richard Haines wrote: selabel_digest(3) if enabled by the SELABEL_OPT_DIGEST option during selabel_open(3) will return an SHA1

Re: [RFC PATCH v3 1/5] kdbus: add creator credentials to the endpoints

2015-10-09 Thread Stephen Smalley
On 10/07/2015 07:08 PM, Paul Moore wrote: In order to effectively enforce LSM based access controls we need to have more information about the kdbus endpoint creator than the uid/gid currently stored in the kdbus_node_type struct. This patch replaces the uid/gid values with a reference to the

Re: [RFC PATCH V2] libselinux: Add selinux_restorecon function

2015-10-09 Thread Stephen Smalley
On 10/01/2015 11:18 AM, Richard Haines wrote: On Tuesday, 29 September 2015, 21:25, Stephen Smalley <s...@tycho.nsa.gov> wrote: On 09/27/2015 08:06 AM, Richard Haines wrote: The selinux_restorecon(3) man page details this function that relies on the selabel_digest(3) function ava

Re: [RFC PATCH v3 3/5] lsm: add support for auditing kdbus service names

2015-10-09 Thread Stephen Smalley
On 10/07/2015 07:08 PM, Paul Moore wrote: The kdbus service names will be recorded using 'service', similar to the existing dbus audit records. Signed-off-by: Paul Moore --- ChangeLog: - v3 * Ported to the 4.3-rc4 based kdbus tree - v2 * Initial draft ---

Re: 答复: got some problems with the type_transition rules

2015-09-08 Thread Stephen Smalley
On 09/08/2015 05:06 AM, kuangjiou wrote: > According to this webpage, > http://selinuxproject.org/page/TypeRules > > Policy versions 25 and above also support a 'name transition' rule > > But the policy versions of my os is 26,I don't know why the type_trasition > rule didn't work To see what

Re: [PATCH] libselinux: Free memory when processing media and x specfiles

2015-09-15 Thread Stephen Smalley
On 09/15/2015 09:51 AM, Richard Haines wrote: > Ensure all memory is freed - checked using valgrind > > Signed-off-by: Richard Haines Thanks, applied. > --- > libselinux/src/label_media.c | 2 +- > libselinux/src/label_x.c | 2 +- > 2 files changed, 2

Re: newrole not working when built with LSPP_PRIV=y

2015-10-01 Thread Stephen Smalley
On 10/01/2015 03:51 AM, Laurent Bigonville wrote: Le 29/09/15 21:35, Stephen Smalley a écrit : On 09/26/2015 09:10 PM, Laurent Bigonville wrote: [...] The patch seems to break an other thing, it Fedora the newrole executable is not setuid root, but it is granted a bunch of capabilities

[PATCH 2/3] policycoreutils/newrole: Set keepcaps around setresuid calls.

2015-10-01 Thread Stephen Smalley
Set the "keep capabilities" flag around the setresuid() calls in drop_capabilities() so that we do not simultaneously drop all capabilities (when newrole is setuid). Signed-off-by: Stephen Smalley <s...@tycho.nsa.gov> --- policycoreutils/newrole/newrole.c | 22 ++

[PATCH 3/3] Open stdin as read/write

2015-10-01 Thread Stephen Smalley
From: Sven Vermeulen As per the discussion on the selinux development mailinglist, the tmux application expects the stdin to be writeable. Although perhaps not the most proper way, having newrole opening the descriptor in read/write keeps the behaviour in line with what

[PATCH 1/3] Fix newrole to not drop capabilities from the bounding set.

2015-10-01 Thread Stephen Smalley
From: Dan Walsh Stop dropping capabilities from its children. Add better error messages. Signed-off-by: Dan Walsh --- policycoreutils/newrole/newrole.c | 60 +-- 1 file changed, 39 insertions(+), 21 deletions(-) diff

Re: av_decision on audit callback

2015-10-02 Thread Stephen Smalley
On 10/02/2015 04:22 PM, Roberts, William C wrote: -Original Message- From: Stephen Smalley [mailto:s...@tycho.nsa.gov] Sent: Friday, October 2, 2015 1:13 PM To: Roberts, William C; seandroid-l...@tycho.nsa.gov; selinux@tycho.nsa.gov Subject: Re: av_decision on audit callback On 10/02

Re: av_decision on audit callback

2015-10-02 Thread Stephen Smalley
On 10/02/2015 04:07 PM, Roberts, William C wrote: -Original Message- From: Stephen Smalley [mailto:s...@tycho.nsa.gov] Sent: Friday, October 2, 2015 12:12 PM To: Roberts, William C; seandroid-l...@tycho.nsa.gov; selinux@tycho.nsa.gov Subject: Re: av_decision on audit callback On 10

Re: av_decision on audit callback

2015-10-02 Thread Stephen Smalley
On 10/02/2015 02:54 PM, Stephen Smalley wrote: On 10/02/2015 02:48 PM, Roberts, William C wrote: I would like to be able to gather the result of permissive mode per domain from a check_access() call for the userspace object managers on Android. From what I can tell check_access() calls

Re: [PATCH 1/5] selinux: introduce security_context_str_to_sid

2015-09-29 Thread Stephen Smalley
copying and the test for scontext_len being zero hint at that). Introduce the helper security_context_str_to_sid() to do the strlen() call and fix all callers. Signed-off-by: Rasmus Villemoes <li...@rasmusvillemoes.dk> Acked-by: Stephen Smalley <s...@tycho.nsa.gov> --- security/sel

Re: [PATCH 0/5] selinux: minor cleanup suggestions

2015-09-29 Thread Stephen Smalley
On 09/25/2015 06:34 PM, Rasmus Villemoes wrote: A few random things I stumbled on. While I'm pretty sure of the change in 1/5, I'm also confused, because the doc for the reverse security_sid_to_context state that @scontext_len is set to "the length of the string", which one would normally

Re: newrole not working when built with LSPP_PRIV=y

2015-09-29 Thread Stephen Smalley
On 09/26/2015 09:10 PM, Laurent Bigonville wrote: Hi, Running newrole executable compiled with LSPP_PRIV=y I get the following error while it's trying to switch role: Error sending audit message. It seems that the CAP_AUDIT_WRITE capability is not set [0]. Adding this capability to the list

Re: [RFC PATCH V2] libselinux: Add selinux_restorecon function

2015-09-29 Thread Stephen Smalley
On 09/27/2015 08:06 AM, Richard Haines wrote: The selinux_restorecon(3) man page details this function that relies on the selabel_digest(3) function available from [1] (as not yet part of upstream libselinux). It has been built using the work from Android where an SHA1 hash of the specfiles is

Re: [PATCH v2] selinux: do not check open perm on ftruncate call

2015-09-18 Thread Stephen Smalley
gt; without the open permission. However, it introduced a new bug where > a domain with the write permission can no longer ftruncate files > without the open permission, even when they receive an already open > file. > > Signed-off-by: Jeff Vander Stoep <je...@google.com> Acke

Re: Find attributes for a type with sepol

2015-09-24 Thread Stephen Smalley
On 09/24/2015 08:43 AM, James Carter wrote: > On 09/23/2015 06:39 PM, Roberts, William C wrote: >> How would one find all the attributes of a type with libsepol, can >> someone point me to any relevant structures or functions? >> > > The policydb_t structure has type_attr_map field which maps

Re: [RFC PATCH v1 1/3] lsm: introduce hooks for kdbus

2015-09-24 Thread Stephen Smalley
On 09/23/2015 05:44 PM, Paul Moore wrote: > Add LSM access control hooks to kdbus; several new hooks are added and > the existing security_file_receive() hook is reused. The new hooks > are listed below: > > * security_kdbus_conn_new >Check if the current task is allowed to create a new

Re: [PATCH] libselinux: Fix restorecon when path has no context

2015-09-22 Thread Stephen Smalley
On 09/19/2015 09:22 PM, Nir Soffer wrote: > When a path has no context, for example, when the file was created when > selinux was disabled, selinux.restorecon(path) will fail: > > >>> selinux.restorecon('/etc/multipath.conf.new') > Traceback (most recent call last): > File "", line

Re: MAP_STACK and execstack

2015-10-05 Thread Stephen Smalley
On 10/02/2015 04:44 PM, Nick Kralevich wrote: Currently, SELinux implements the "execstack" capability using the following code: security/selinux/hooks.c function: selinux_file_mprotect() } else if (!vma->vm_file && vma->vm_start <= vma->vm_mm->start_stack &&

Re: Performance issues - huge amount of AVC misses

2015-12-08 Thread Stephen Smalley
On 12/08/2015 05:25 AM, Michal Marciniszyn wrote: Hello, we are heavy SELinux shop and we recently run into AVC related performance issue. I was trying to find an answer on freenode IRC chat but I was sent here by multiple guys. We're running on Scientific Linux 6.6 (upgrade to 6.7 ongoing) and

Re: Performance issues - huge amount of AVC misses

2015-12-08 Thread Stephen Smalley
On 12/08/2015 09:56 AM, Michal Marciniszyn wrote: Hi Dominic, while there is quite a lot of dontaudit rules around, the amount for domains running on this node is not high. Is there any way how to monitor which rules are loaded and released from the cache? Anything better than plain aggregated

Re: continuation of systemd/SELinux discussion from Github

2015-12-02 Thread Stephen Smalley
On 12/02/2015 05:18 AM, Dominick Grift wrote: Let's continue the discussion here. The last answered questionnaire is below, any further questions or comments?: "systemd --user" concept is broken as we can see/read from this thread

Re: [PATCH] policycoreutils: fix 'semanage permissive -l' subcommand

2015-12-01 Thread Stephen Smalley
On 11/30/2015 08:57 AM, Petr Lautrbach wrote: This reverts the commit 97d06737 which introduced a regression on '-l' which started to require at least one argument and fixes the original problem other way. A args.parser value is set now and handlePermissive function uses it to print an usage

Re: continuation of systemd/SELinux discussion from Github

2015-12-02 Thread Stephen Smalley
On 12/02/2015 02:47 PM, Dominick Grift wrote: On Wed, Dec 02, 2015 at 01:20:30PM -0500, Stephen Smalley wrote: On 12/02/2015 05:18 AM, Dominick Grift wrote: Let's continue the discussion here. The last answered questionnaire is below, any further questions or comments

Re: Performance issues - huge amount of AVC misses

2015-12-09 Thread Stephen Smalley
On 12/09/2015 08:15 AM, Michal Marciniszyn wrote: Hi, after increasing the cache, I do not see many reclaims, like couple of them here and there. The cache size had to be increased to 2048 to get ti this state. # avcstat 15 537645 537623 22 22 32 32

Re: chcat is using getlogin() function that sometimes returns null/empty string

2015-12-07 Thread Stephen Smalley
On 12/07/2015 01:01 PM, Laurent Bigonville wrote: Hi, So apparently gnome-terminal developers have decided to stop updating utmp[0] file and this is breaking chcat -Ll with the following error: Traceback (most recent call last): File "/usr/bin/chcat", line 409, in

Re: Exposing secid to secctx mapping to user-space

2015-12-11 Thread Stephen Smalley
On 12/11/2015 02:55 PM, Paul Moore wrote: On Fri, Dec 11, 2015 at 1:37 PM, Daniel Cashman wrote: Hello, I would like to write a patch that would expose, via selinuxfs, the mapping between secids in the kernel and security contexts to user-space, but before doing so

Re: Exposing secid to secctx mapping to user-space

2015-12-15 Thread Stephen Smalley
On 12/15/2015 11:06 AM, Casey Schaufler wrote: On 12/15/2015 7:00 AM, Stephen Smalley wrote: On 12/14/2015 05:57 PM, Roberts, William C wrote: If I understand correctly, the goal here is to avoid the lookup from pid to context. If we somehow Had the context or a token to a context during

Re: Exposing secid to secctx mapping to user-space

2015-12-15 Thread Stephen Smalley
On 12/15/2015 12:19 PM, Joe Nall wrote: On Dec 15, 2015, at 10:06 AM, Casey Schaufler wrote: ... I have long wondered why SELinux generates the context string of the secid more than once. Audit performance alone would justify keeping it around. The variable length

Re: Exposing secid to secctx mapping to user-space

2015-12-14 Thread Stephen Smalley
On 12/14/2015 12:03 PM, Mike Palmiotto wrote: On Sun, Dec 13, 2015 at 5:06 PM, Paul Moore <p...@paul-moore.com> wrote: On Friday, December 11, 2015 05:14:38 PM Stephen Smalley wrote: Perhaps we could provide a new fixed-size tokenized version of the security context string for

Re: Exposing secid to secctx mapping to user-space

2015-12-14 Thread Stephen Smalley
On 12/14/2015 04:29 PM, Roberts, William C wrote: Subject: Re: Exposing secid to secctx mapping to user-space On 12/13/2015 2:06 PM, Paul Moore wrote: On Friday, December 11, 2015 05:14:38 PM Stephen Smalley wrote: Perhaps we could provide a new fixed-size tokenized version of the security

Re: Exposing secid to secctx mapping to user-space

2015-12-15 Thread Stephen Smalley
On 12/14/2015 05:57 PM, Roberts, William C wrote: If I understand correctly, the goal here is to avoid the lookup from pid to context. If we somehow Had the context or a token to a context during the ipc transaction to userspace, we could just use that In computing the access decision. If

Re: [PATCH] selinux: Inode label revalidation performance fix

2016-01-06 Thread Stephen Smalley
and that inode_security_revalidate can be removed entirely, which brings us back to roughly the original performance. Signed-off-by: Andreas Gruenbacher <agrue...@redhat.com> Acked-by: Stephen Smalley <s...@tycho.nsa.gov> --- security/selinux/hooks.c | 10 ++ 1 file changed, 2 insertions(+), 8 deleti

Re: Labeling nsfs filesystem

2016-01-07 Thread Stephen Smalley
On 01/07/2016 03:36 PM, Nicolas Iooss wrote: Hello, Since Linux 3.19 targets of /proc/PID/ns/* symlinks have lived in a fs separated from /proc, named nsfs [1]. These targets are used to enter the namespace of another process by using setns() syscall [2]. On old kernels, they were labeled

Re: security_bounded_transition fails

2015-12-18 Thread Stephen Smalley
On 12/18/2015 01:12 AM, Hannu Savolainen wrote: Hi, I'm having a problem with a multithreaded application. It does lengthy initialization in advance under relatively privileged context and then switches to a less privileged one after the moment when the actual request arrives. After that it

Re: security_bounded_transition fails

2015-12-18 Thread Stephen Smalley
On 12/18/2015 10:05 AM, Dominick Grift wrote: On Fri, Dec 18, 2015 at 11:27:13AM +, Hannu Savolainen wrote: Many thanks, Adding the allow rules seem to be enough (have to verify that one more time next week). Fortunately the typebounds rule doesn't seem to be necessary since it

Re: [PATCH] libselinux, policycoreutils: Man page warning fixes

2015-11-24 Thread Stephen Smalley
On 11/07/2015 04:20 AM, Ville Skyttä wrote: Signed-off-by: Ville Skyttä Thanks, applied. --- libselinux/man/man3/security_load_booleans.3| 2 +- libselinux/man/man3/selinux_binary_policy_path.3| 2 +- libselinux/man/man8/avcstat.8 |

Re: [PATCH] libselinux: Correct line count for property and service contexts files

2015-11-24 Thread Stephen Smalley
On 11/23/2015 08:52 AM, Richard Haines wrote: When a line number is displayed for context errors they are x2 the correct value, so reset line count for each pass. Signed-off-by: Richard Haines Thanks, applied. --- libselinux/src/label_android_property.c |

Re: [PATCH] libsepol: Fully expand neverallowxperm rules

2015-11-24 Thread Stephen Smalley
On 11/21/2015 11:26 AM, Richard Haines wrote: Currently neverallowxperm rules will be resolved correctly when building policy, however they are not detectable when using tools such as an updated version of setools. This patch will allow these to be viewed in the same way as neverallow rules are

Re: (Userspace) AVC denial generated even if allowed by the policy?

2015-11-23 Thread Stephen Smalley
On 11/23/2015 02:06 PM, Laurent Bigonville wrote: Le 23/11/15 19:44, Stephen Smalley a écrit : On 11/23/2015 12:25 PM, Laurent Bigonville wrote: As you can see the results are different... So this seems to be regression at the kernel level. Well, that depends - are you loading the same

Re: Obtaining Default Context for SELinux Users

2015-11-20 Thread Stephen Smalley
On 11/18/2015 07:26 PM, Mike Palmiotto wrote: On Wed, Nov 18, 2015 at 5:09 PM, Mike Palmiotto wrote: We're currently running into issues attempting to get a default context for a newly added SELinux user. The user has been added with semanage, and associated

Re: (Userspace) AVC denial generated even if allowed by the policy?

2015-11-23 Thread Stephen Smalley
On 11/22/2015 07:53 PM, Laurent Bigonville wrote: Hi, I'm still looking at adding SELinux support in the "at" daemon and I now have the following patch[0]. With this patch, at seems to behave like the cron daemon, as explained in the commit log: - When cron_userdomain_transition is set

Re: (Userspace) AVC denial generated even if allowed by the policy?

2015-11-23 Thread Stephen Smalley
On 11/23/2015 12:25 PM, Laurent Bigonville wrote: Le 23/11/15 17:21, Stephen Smalley a écrit : On 11/22/2015 07:53 PM, Laurent Bigonville wrote: Hi, I'm still looking at adding SELinux support in the "at" daemon and I now have the following patch[0]. With this patch, at seems to b

[PATCH] selinux: fix bug in conditional rules handling

2015-11-23 Thread Stephen Smalley
ug by only skipping computation of extended permissions in this situation, not the entire conditional rules processing. Reported-by: Laurent Bigonville <bi...@debian.org> Signed-off-by: Stephen Smalley <s...@tycho.nsa.gov> --- security/selinux/ss/conditional.c | 4 ++-- 1 file changed, 2 inse

Re: [PATCH] selinux: fix bug in conditional rules handling

2015-11-23 Thread Stephen Smalley
On 11/23/2015 04:23 PM, Paul Moore wrote: On Mon, Nov 23, 2015 at 4:07 PM, Stephen Smalley <s...@tycho.nsa.gov> wrote: commit fa1aa143ac4a ("selinux: extended permissions for ioctls") introduced a bug into the handling of conditional rules, skipping the processing entirely when

Re: Labeling nsfs filesystem

2016-01-08 Thread Stephen Smalley
On 01/08/2016 08:00 AM, Christopher J. PeBenito wrote: On 1/7/2016 4:19 PM, Stephen Smalley wrote: On 01/07/2016 03:36 PM, Nicolas Iooss wrote: Hello, Since Linux 3.19 targets of /proc/PID/ns/* symlinks have lived in a fs separated from /proc, named nsfs [1]. These targets are used to enter

Re: [RFC 1/2] selinux: Stop looking up dentries from inodes

2016-06-03 Thread Stephen Smalley
On 06/01/2016 05:46 PM, Andreas Gruenbacher wrote: > On Wed, Jun 1, 2016 at 3:44 PM, Stephen Smalley <s...@tycho.nsa.gov> wrote: >> On 05/31/2016 11:22 AM, Andreas Gruenbacher wrote: >>> With that fixed, could you possibly put this change to test? >> >> Falls

Re: [PATCH] LSM: Reorder security_capset to do access checks properly

2016-06-01 Thread Stephen Smalley
On 06/01/2016 04:30 PM, Casey Schaufler wrote: > On 6/1/2016 1:06 PM, Stephen Smalley wrote: >> On 06/01/2016 03:27 PM, Casey Schaufler wrote: >>> Subject: [PATCH] LSM: Reorder security_capset to do access checks properly >>> >>> The security module hooks

Re: [PATCH] LSM: Reorder security_capset to do access checks properly

2016-06-01 Thread Stephen Smalley
On 06/01/2016 03:27 PM, Casey Schaufler wrote: > Subject: [PATCH] LSM: Reorder security_capset to do access checks properly > > The security module hooks that check whether a process should > be able to set a new capset are currently called after the new > values are set in cap_capset(). This

Re: Possible problem with e6afc8ac ("udp: remove headers from UDP packets before queueing")

2016-06-01 Thread Stephen Smalley
s. >> >> Hopefully I'll get 4.7-rc1 booting soon and I can do a proper >> bisection test around this patch, but I wanted to mention this now in >> case others are seeing the same problem. >> > > Thanks for the report. Please try following fix. > > sk_filter() got

Re: [PATCH 3/3] policycoreutils: setfiles - Modify to use selinux_restorecon

2016-05-31 Thread Stephen Smalley
On 05/31/2016 09:01 AM, Richard Haines wrote: > > > > > >> On Thursday, 19 May 2016, 19:24, Stephen Smalley <s...@tycho.nsa.gov> wrote: >>> On 05/10/2016 11:24 AM, Richard Haines wrote: >>> Modify setfiles and restorecon to make use of the libseli

Re: [RFC 1/2] selinux: Stop looking up dentries from inodes

2016-05-31 Thread Stephen Smalley
On 05/30/2016 09:59 AM, Andreas Gruenbacher wrote: > SELinux sometimes needs to load the security label of an inode without > knowing which dentry belongs to that inode (for example, in the > inode_permission hook). The security label is stored in an xattr; > getxattr currently requires both the

Re: abnormal SELinux context labels

2016-06-22 Thread Stephen Smalley
On 06/22/2016 02:05 PM, Bond Masuda wrote: > I'm installing CentOS 7 in a chroot'd environment to build new images of > CentOS 7 for a private cloud environment. I've done this successfully > before with CentOS 6 (with help from this list) and we have an automated > process of doing that now. I'm

Re: Protect Xen Virtualization via SElinux.

2016-06-20 Thread Stephen Smalley
On 06/20/2016 11:06 AM, Jason Long wrote: > Can you show me some examples for both ? I already pointed you to OpenXT; it is a worked example of both. > On Monday, June 20, 2016 5:13 PM, Stephen Smalley <s...@tycho.nsa.gov> wrote: > On 06/19/2016 09:15 AM, Jason Long wrote: >

Re: Protect Xen Virtualization via SElinux.

2016-06-20 Thread Stephen Smalley
On 06/19/2016 09:15 AM, Jason Long wrote: > Hello. > How can I protect my Xen VM via SElinux? Can you show me some useful examples? I'm not entirely sure what you are asking, but possible answers: 1. If you want to apply SELinux-like controls over Xen virtual machines (domains), then you can use

Re: Selectively assigning SELinux policies to permissive and enforcement mode

2016-06-20 Thread Stephen Smalley
On 06/19/2016 07:16 PM, Taeho Kgil wrote: > Hi SELinux community, > > I'm relatively new to this mailing list and not sure if this is the > appropriate place to raise this question. > > I am trying to see if we can selectively assign policies to permissive > and enforcement. Is this a possible

Re: [PATCH 1/2] Modify audit2why analyze function to use loaded policy

2016-06-20 Thread Stephen Smalley
On 06/03/2016 11:09 AM, Joshua Brindle wrote: > Class and perms should come from the policy being used for analysis, > not the system policy so use sepol_ interfaces > > Change-Id: Ia0590ed2514249fd98810a8d4fe87f8bf5280561 > Signed-off-by: Joshua Brindle > --- >

  1   2   3   4   5   6   7   8   9   10   >