lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Fri, 31 Aug 2018 12:16:21 -0400
From:   Stephen Smalley <sds@...ho.nsa.gov>
To:     Paul Moore <paul@...l-moore.com>, dvyukov@...gle.com
Cc:     syzbot+21016130b0580a9de3b5@...kaller.appspotmail.com,
        tyhicks@...onical.com, john.johansen@...onical.com,
        James Morris <jmorris@...ei.org>, linux-kernel@...r.kernel.org,
        linux-security-module@...r.kernel.org,
        Serge Hallyn <serge@...lyn.com>,
        syzkaller-bugs@...glegroups.com,
        Jeffrey Vander Stoep <jeffv@...gle.com>
Subject: Re: WARNING in apparmor_secid_to_secctx

On 08/31/2018 12:07 PM, Paul Moore wrote:
> On Fri, Aug 31, 2018 at 12:01 PM Stephen Smalley <sds@...ho.nsa.gov> wrote:
>> On 08/29/2018 10:21 PM, Dmitry Vyukov wrote:
>>> On Wed, Aug 29, 2018 at 7:17 PM, syzbot
>>> <syzbot+21016130b0580a9de3b5@...kaller.appspotmail.com> wrote:
>>>> Hello,
>>>>
>>>> syzbot found the following crash on:
>>>>
>>>> HEAD commit:    817e60a7a2bb Merge branch 'nfp-add-NFP5000-support'
>>>> git tree:       net-next
>>>> console output: https://syzkaller.appspot.com/x/log.txt?x=1536d296400000
>>>> kernel config:  https://syzkaller.appspot.com/x/.config?x=531a917630d2a492
>>>> dashboard link: https://syzkaller.appspot.com/bug?extid=21016130b0580a9de3b5
>>>> compiler:       gcc (GCC) 8.0.1 20180413 (experimental)
>>>>
>>>> Unfortunately, I don't have any reproducer for this crash yet.
>>>>
>>>> IMPORTANT: if you fix the bug, please add the following tag to the commit:
>>>> Reported-by: syzbot+21016130b0580a9de3b5@...kaller.appspotmail.com
>>>
>>> Hi John, Tyler,
>>>
>>> I've switched syzbot from selinux to apparmor as we discussed on lss:
>>> https://github.com/google/syzkaller/commit/2c6cb254ae6c06f61e3aba21bb89ffb05b5db946
>>
>> Sorry, does this mean that you are no longer testing selinux via syzbot?
>>    That seems unfortunate.  SELinux is default-enabled and used in
>> Fedora, RHEL and all derivatives (e.g. CentOS), and mandatory in Android
>> (and seemingly getting some use in ChromeOS now as well, at least for
>> the Android container and possibly wider), so it seems unwise to drop it
>> from your testing altogether.  I was under the impression that you were
>> just going to add apparmor to your testing matrix, not drop selinux
>> altogether.
> 
> It is also important to note that testing with SELinux enabled but no
> policy loaded is not going to be very helpful (last we talked that is
> what syzbot is/was doing).  While syzbot did uncover some issues
> relating to the enabled-no-policy case, those are much less
> interesting and less relevant than the loaded-policy case.

I had thought that they had switched over to at least loading a policy 
but possibly left it in permissive mode because the base distribution 
didn't properly support SELinux out of the box.  But I may be mistaken.
Regardless, the right solution is to migrate to testing with a policy 
loaded not to stop testing altogether.

Optimally, they'd test on at least one distribution/OS where SELinux is 
in fact supported out of the box, e.g. CentOS, Android, and/or ChromeOS.

Powered by blists - more mailing lists