| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 31 Jan 2011 05:26:54 +0200
From: Lucian Adrian Grijincu <lucian.grijincu@...il.com>
To: Stephen Smalley <sds@...ho.nsa.gov>,
James Morris <jmorris@...ei.org>,
Eric Paris <eparis@...isplace.org>,
Al Viro <viro@...iv.linux.org.uk>,
Christoph Hellwig <hch@....de>,
Lucian Adrian Grijincu <lucian.grijincu@...il.com>,
Dave Chinner <dchinner@...hat.com>,
Arnd Bergmann <arnd@...db.de>, linux-kernel@...r.kernel.org,
linux-security-module@...r.kernel.org,
selinux <selinux@...ho.nsa.gov>,
"Eric W. Biederman" <ebiederm@...ssion.com>
Subject: [PATCH 2/2] RFC: selinux: sysctl: fix selinux labeling broken by last patch
Eric's patch was rejected because it broke selinux labeling:
http://thread.gmane.org/gmane.linux.kernel.lsm/9807/focus=9841
This seems to break labeling. Prior to this patch, I see:
# ls -lZ /proc/1/net/rpc/nfsd.fh
-rw-------. root root system_u:object_r:sysctl_rpc_t:s0 channel
with the patch:
# ls -lZ /proc/1/net/rpc/nfsd.fh
-rw-------. root root system_u:object_r:proc_t:s0 channel
My patch seems to have fixed this problem (it correctly reports
sysctl_rpc_t in this case), but my selinux experience is ε > 0 and I
have no ideea what else it may have broken.
I ran 'find /proc | xargs ls -Z > f' on a kernel with an without
these patches:
* http://swarm.cs.pub.ro/~lucian/store/ls-Z-with-patch
* http://swarm.cs.pub.ro/~lucian/store/ls-Z-without-patch
My setup is a custom busybox live CD with selinux enabled, with
/etc/selinux and /usr/share/selinux/default copied from Ubuntu 10.10's
selinux-policy-default package. I'm sure there are lots of reasons why
this is not correcly configured, etc., but I have no experience
regarding selinux. I can make all the scripts/sources/configs/etc
available to anyone interested.
NOTE: this patch will be merged with:
security/selinux: Simplify proc inode to security label mapping
I'm only prividing this patch separately to point out the differences
to Eric W. Biederman's patch.
Both of these patches apply cleanly agains Linux 2.6.37.
Signed-off-by: Lucian Adrian Grijincu <lucian.grijincu@...il.com>
---
fs/proc/proc_sysctl.c | 1 -
security/selinux/hooks.c | 20 ++++++++++++++++----
2 files changed, 16 insertions(+), 5 deletions(-)
View attachment "0002-RFC-selinux-sysctl-fix-selinux-labeling-broken-by-la.patch" of type "text/x-patch" (1727 bytes)
Powered by blists - more mailing lists