lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 31 Aug 2018 12:17:49 -0400 From: Stephen Smalley <sds@...ho.nsa.gov> To: Paul Moore <paul@...l-moore.com>, dvyukov@...gle.com Cc: syzbot+21016130b0580a9de3b5@...kaller.appspotmail.com, tyhicks@...onical.com, john.johansen@...onical.com, James Morris <jmorris@...ei.org>, linux-kernel@...r.kernel.org, linux-security-module@...r.kernel.org, Serge Hallyn <serge@...lyn.com>, syzkaller-bugs@...glegroups.com, Jeffrey Vander Stoep <jeffv@...gle.com> Subject: Re: WARNING in apparmor_secid_to_secctx On 08/31/2018 12:16 PM, Stephen Smalley wrote: > On 08/31/2018 12:07 PM, Paul Moore wrote: >> On Fri, Aug 31, 2018 at 12:01 PM Stephen Smalley <sds@...ho.nsa.gov> >> wrote: >>> On 08/29/2018 10:21 PM, Dmitry Vyukov wrote: >>>> On Wed, Aug 29, 2018 at 7:17 PM, syzbot >>>> <syzbot+21016130b0580a9de3b5@...kaller.appspotmail.com> wrote: >>>>> Hello, >>>>> >>>>> syzbot found the following crash on: >>>>> >>>>> HEAD commit: 817e60a7a2bb Merge branch 'nfp-add-NFP5000-support' >>>>> git tree: net-next >>>>> console output: >>>>> https://syzkaller.appspot.com/x/log.txt?x=1536d296400000 >>>>> kernel config: >>>>> https://syzkaller.appspot.com/x/.config?x=531a917630d2a492 >>>>> dashboard link: >>>>> https://syzkaller.appspot.com/bug?extid=21016130b0580a9de3b5 >>>>> compiler: gcc (GCC) 8.0.1 20180413 (experimental) >>>>> >>>>> Unfortunately, I don't have any reproducer for this crash yet. >>>>> >>>>> IMPORTANT: if you fix the bug, please add the following tag to the >>>>> commit: >>>>> Reported-by: syzbot+21016130b0580a9de3b5@...kaller.appspotmail.com >>>> >>>> Hi John, Tyler, >>>> >>>> I've switched syzbot from selinux to apparmor as we discussed on lss: >>>> https://github.com/google/syzkaller/commit/2c6cb254ae6c06f61e3aba21bb89ffb05b5db946 >>>> >>> >>> Sorry, does this mean that you are no longer testing selinux via syzbot? >>> That seems unfortunate. SELinux is default-enabled and used in >>> Fedora, RHEL and all derivatives (e.g. CentOS), and mandatory in Android >>> (and seemingly getting some use in ChromeOS now as well, at least for >>> the Android container and possibly wider), so it seems unwise to drop it >>> from your testing altogether. I was under the impression that you were >>> just going to add apparmor to your testing matrix, not drop selinux >>> altogether. >> >> It is also important to note that testing with SELinux enabled but no >> policy loaded is not going to be very helpful (last we talked that is >> what syzbot is/was doing). While syzbot did uncover some issues >> relating to the enabled-no-policy case, those are much less >> interesting and less relevant than the loaded-policy case. > > I had thought that they had switched over to at least loading a policy > but possibly left it in permissive mode because the base distribution > didn't properly support SELinux out of the box. But I may be mistaken. > Regardless, the right solution is to migrate to testing with a policy > loaded not to stop testing altogether. > > Optimally, they'd test on at least one distribution/OS where SELinux is > in fact supported out of the box, e.g. CentOS, Android, and/or ChromeOS. Or Fedora, of course.
Powered by blists - more mailing lists