lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 22 Aug 2007 09:42:54 -0400
From:	Stephen Smalley <sds@...ho.nsa.gov>
To:	James Morris <jmorris@...ei.org>
Cc:	Michal Piotrowski <michal.k.k.piotrowski@...il.com>,
	Willy Tarreau <w@....eu>, linux-kernel@...r.kernel.org,
	stable@...nel.org
Subject: Re: [2.6.20.17 review 00/58] 2.6.20.17 -stable review

On Wed, 2007-08-22 at 09:36 -0400, Stephen Smalley wrote:
> On Wed, 2007-08-22 at 06:23 -0700, James Morris wrote:
> > On Wed, 22 Aug 2007, Michal Piotrowski wrote:
> > 
> > > I got a problem with SELinux
> > > http://www.stardust.webpages.pl/files/tbf/bitis-gabonica/2.6.20.17-rc1/console.log
> > > http://www.stardust.webpages.pl/files/tbf/bitis-gabonica/2.6.20.17-rc1/stable-config
> > 
> > Please set
> > CONFIG_SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT=n
> > 
> > You don't have complete policy for the new network controls, which are not 
> > enabled by default and not integreated fully into distros yet.
> 
> Still, that denial shouldn't be against kernel_t unless he has iptables
> SECMARK rules that assign that value.
> 
> It's the change to the skb allocator - no longer clears up through
> truesize and thus secmark is garbage initially.  That would apply to
> mainline too.

Oops, never mind - tail still follows secmark, so that shouldn't matter.
So I'm not sure why we are getting a bad value for secmark here - should
be initialized to zero and never modified unless there is an iptables
secmark rule.

-- 
Stephen Smalley
National Security Agency

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ