lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Fri, 13 Dec 2013 09:52:14 -0500
From:	Eric Paris <eparis@...hat.com>
To:	Paul Moore <paul@...l-moore.com>
Cc:	Josh Boyer <jwboyer@...oraproject.org>,
	James Morris <jmorris@...ei.org>,
	Linus Torvalds <torvalds@...ux-foundation.org>,
	linux-security-module <linux-security-module@...r.kernel.org>,
	"Linux-Kernel@...r. Kernel. Org" <linux-kernel@...r.kernel.org>
Subject: Re: [GIT] SELinux fixes

On Fri, 2013-12-13 at 09:36 -0500, Paul Moore wrote:
> On Fri, Dec 13, 2013 at 9:02 AM, Josh Boyer <jwboyer@...oraproject.org> wrote:
> > Should probably figure out which path to take on this one soon:
> >
> > http://thread.gmane.org/gmane.linux.kernel/1611662
> >
> > A revert might be the easiest for now.
> 
> Yeah, I followed the discussion you and Eric were having earlier this
> week; I was hoping that you guys would be able to arrive at a fix as I
> would much prefer to fix the issue and not have to revert.
> 
> If I don't see something from Eric within the next couple of hours
> I'll go ahead and do the revert.

Paul, please revert 102aefdda4d8275ce7d7100bc16c88c74272b260

SELinux policy can specify if it should use a filesystem's xattrs or
not.  In current policy we have a specification that fuse should not use
xattrs but fuse.glusterfs should use xattrs.  This patch has a bug in
which non-glusterfs filesystems would match the rule saying
fuse.glusterfs should use xattrs.  If both fuse and the particular
filesystem in question are not written to handle xattr calls during the
mount command, they will deadlock.

I have fixed the bug to do proper matching, however I believe a revert
is still the correct solution.  The reason I believe that is because the
code still does not work.  The s_subtype is not set until after the
SELinux hook which attempts to match on the ".gluster" portion of the
rule.  So we cannot match on the rule in question.  The code is useless.

In the next cycle the code should be re-re-verted and fixed, but we also
need to address the fact that it just plain doesn't work.

-Eric

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ