lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Fri, 13 Jul 2007 15:29:23 -0400
From:	Stephen Smalley <sds@...ho.nsa.gov>
To:	Michal Piotrowski <michal.k.k.piotrowski@...il.com>
Cc:	Paul Moore <paul.moore@...com>, jmorris@...ei.org,
	torvalds@...ux-foundation.org, linux-kernel@...r.kernel.org
Subject: Re: The art of breaking userspace (was Re: [GIT] SELinux changes
	for 2.6.23 (updated))

On Fri, 2007-07-13 at 21:08 +0200, Michal Piotrowski wrote:
> Paul Moore pisze:
> [..]
> > On Fri, 13 Jul 2007, Michal Piotrowski wrote:
> >> My system is too secure, I can not login :)
> >>
> >> Do you have CONFIG_NETLABEL=y ?
> >>
> >> If so, please try disabling it.
> > 
> > Disabling NetLabel should solve the problem.
> 
> Disabling NetLabel solves the problem.
> 
> >  The recommended solution to this problem, as discussed on the SELinux list and mentioned in the patch description, is to upgrade your SELinux policy to the latest Reference Policy sources.  For those with custom SELinux policy, the patch description explains the changes to the SELinux policy required. 
> 
> I'm sorry to say this, but this kind of patches should not be accepted.
> 
> Patch
> 
> commit 9faf65fb6ee2b4e08325ba2d69e5ccf0c46453d0
> Author: Paul Moore <paul.moore@...com>
> Date:   Fri Jun 29 11:48:16 2007 -0400
> 
>     SELinux: use SECINITSID_NETMSG instead of SECINITSID_UNLABELED for NetLabel
> 
>     These changes will make NetLabel behave like labeled IPsec where there is an
>     access check for both labeled and unlabeled packets as well as providing the
>     ability to restrict domains to receiving only labeled packets when NetLabel
>     is in use.  The changes to the policy are straight forward with the
>     following necessary to receive labeled traffic (with SECINITSID_NETMSG
>     defined as "netlabel_peer_t"):
> 
>      allow mydom_t netlabel_peer_t:{ tcp_socket udp_socket rawip_socket } recvfrom;
> 
>     The policy for unlabeled traffic would be:
> 
>      allow mydom_t unlabeled_t:{ tcp_socket udp_socket rawip_socket } recvfrom;
> 
>     These policy changes, as well as more general NetLabel support, are included
>     in the SELinux Reference Policy SVN tree, r2352 or later.  Users who enable
>     NetLabel support in the kernel are strongly encouraged to upgrade their
>     policy to avoid network problems.
> 
>     Signed-off-by: Paul Moore <paul.moore@...com>
>     Signed-off-by: James Morris <jmorris@...ei.org>
> 
> 
> breaks systems with recent selinux policy.
> 
> (rpm -qa selinux-policy-*
> selinux-policy-devel-2.6.4-25.fc7
> selinux-policy-targeted-2.6.4-25.fc7)
> 
> I will add this as a regression unless Linus says "Fsck it! We don't care about compatibility"

Agreed, it needs to be fixed in the netlabel code.

-- 
Stephen Smalley
National Security Agency

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ