| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 04 Dec 2008 13:00:15 -0800 From: ebiederm@...ssion.com (Eric W. Biederman) To: Stephen Smalley <sds@...ho.nsa.gov> Cc: David Miller <davem@...emloft.net>, adobriyan@...il.com, auke-jan.h.kok@...el.com, akpm@...ux-foundation.org, e1000-devel@...ts.sourceforge.net, netdev@...r.kernel.org, jmorris@...ei.org, eparis@...isplace.org Subject: Re: [E1000-devel] networking probs in next-20081203 Stephen Smalley <sds@...ho.nsa.gov> writes: > On Thu, 2008-12-04 at 14:32 -0500, Stephen Smalley wrote: >> On Thu, 2008-12-04 at 10:21 -0800, David Miller wrote: >> > From: Stephen Smalley <sds@...ho.nsa.gov> >> > Date: Thu, 04 Dec 2008 13:11:20 -0500 >> > >> > > On Thu, 2008-12-04 at 20:52 +0300, Alexey Dobriyan wrote: >> > > > On Thu, Dec 04, 2008 at 09:41:24AM -0800, Kok, Auke wrote: >> > > > > maybe try disabling selinux? >> > > > >> > > > This will work. :^) >> > > >> > > SELinux didn't change here. /proc/net did. >> > >> > We've been through this before... >> >> Yep, and we altered SELinux so that they could freely change proc >> directories into symlinks to support the earlier proc/net change. But >> now proc/net has turned into its own separate filesystem, with its own >> filesystem type, which is unknown to SELinux. Thus causing it to be >> left unlabeled and inaccessible to confined domains. >> >> > And it is a usability issue that people can't change how procfs >> > directories work without requiring the user to update their selinux >> > policies first. >> >> Introducing a new filesystem type (proc/net) without teaching SELinux >> how to handle it is always going to produce denials on accessing that >> filesystem. If they left the filesystem type string as "proc" it >> wouldn't be a problem. > > Actually, that isn't quite correct as it wouldn't generate the same > name/key for lookup. > >> Or they can adjust the SELinux code to >> automagically handle it. Regardless, we didn't break anything. > > Looking back, I see that they did in fact change selinux as part of the > patch to make proc/net its own filesystem, although unfortunately not in > a way that will quite work. But no selinux maintainer was ever cc'd on > that patch. Yes. Apologies. The whole thing started with some stupid security drama and so things tried to happen outside of the normal channels and things just went wrong, and got lost... When I resent and started things through the normal channels I forgot to cc you guys. My apologies. Which piece of selinux magic did I miss? In particular can you tell if this was a code bug or a logic bug? Eric -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists