[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <200809171724.36269.paul.moore@hp.com>
Date: Wed, 17 Sep 2008 17:24:36 -0400
From: Paul Moore <paul.moore@...com>
To: Andrew Morton <akpm@...ux-foundation.org>
Cc: Stephen Smalley <sds@...ho.nsa.gov>, jmorris@...ei.org,
rjw@...k.pl, linux-kernel@...r.kernel.org,
kernel-testers@...r.kernel.org,
"Eric W. Biederman" <ebiederm@...ssion.com>, netdev@...r.kernel.org
Subject: Re: [Bug #11500] /proc/net bug related to selinux
On Wednesday 17 September 2008 3:50:53 pm Andrew Morton wrote:
> On Mon, 15 Sep 2008 09:05:26 -0400
> Stephen Smalley <sds@...ho.nsa.gov> wrote:
> > However, the most likely explanation is simply that when /proc/net
> > was changed from being a directory to being a symlink to
> > /proc/self/net, that introduced an additional permission check on
> > accesses of /proc/net/<whatever>, namely the read check on the
> > symlink itself. And since that check wasn't happening on /proc/net
> > accesses with older kernels, older policies didn't allow it.
> >
> > As to why others haven't reported it, I expect that they have
> > updated their policies to newer ones that allow the necessary
> > access. The fact that legacy distros wouldn't have such updated
> > policies isn't surprising - they don't push updates to those
> > distros for new kernels. FC5 and FC6 are both EOL'd, right?
> >
> > In any event, we didn't change anything in SELinux - the change was
> > elsewhere (in the proc/net implementation). Don't blame the
> > messenger please.
>
> Vanilla FC5 broke and vanilla FC6 broke. Did vanilla FC7, 8 or 9
> break?
>
> http://smolt.fedoraproject.org/static/stats/stats.html shows
> 11,000-odd people running FC5 and FC6. It would be incautious to
> assume that all those people have updated their selinux rules.
>
> And _requiring_ people to update their selinux rules to fix a
> kernel-caused regression is a pretty big deal for some people, I
> expect.
Just so I'm clear on the context of the problem, it sounds like if a FC5
(I'm limiting myself to FC5 for the moment) user upgraded to a recent
(2.6.25+) kernel (non-distro supplied in the case of FC5) then they
will run into problems unless they also upgrade their SELinux policy,
yes?
If that is the case I'm not sure it is really that big of a deal. Maybe
I'm in the minority here, but in my mind once you step away from the
distro supplied kernel (also applies to other packages, although those
are arguably less critical) you should also bear the responsibility to
make sure you upgrade/tweak/install whatever other bits need to be
fixed.
> Then again, given that this regression has been out there since
> 2.6.25, I guess not too many people are hurting from it. But we
> suck.
We suck? Maybe, but some explanation about why we suck in this
particular case would be helpful as far as I'm concerned. I don't
really care about identifying the guilty suckees, I'm more interested
in finding out what happened to cause us to suck because of this.
--
paul moore
linux @ hp
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists