| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20150708.160855.1027366470220223329.davem@davemloft.net>
Date: Wed, 08 Jul 2015 16:08:55 -0700 (PDT)
From: David Miller <davem@...emloft.net>
To: sds@...ho.nsa.gov
Cc: jon.maloy@...csson.com, ying.xue@...driver.com,
paul@...l-moore.com, linux-security-module@...r.kernel.org,
netdev@...r.kernel.org
Subject: Re: [PATCH] net/tipc: initialize security state for new connection
socket
From: Stephen Smalley <sds@...ho.nsa.gov>
Date: Tue, 7 Jul 2015 09:43:45 -0400
> Calling connect() with an AF_TIPC socket would trigger a series
> of error messages from SELinux along the lines of:
> SELinux: Invalid class 0
> type=AVC msg=audit(1434126658.487:34500): avc: denied { <unprintable> }
> for pid=292 comm="kworker/u16:5" scontext=system_u:system_r:kernel_t:s0
> tcontext=system_u:object_r:unlabeled_t:s0 tclass=<unprintable>
> permissive=0
>
> This was due to a failure to initialize the security state of the new
> connection sock by the tipc code, leaving it with junk in the security
> class field and an unlabeled secid. Add a call to security_sk_clone()
> to inherit the security state from the parent socket.
>
> Reported-by: Tim Shearer <tim.shearer@...rturenetworks.com>
> Signed-off-by: Stephen Smalley <sds@...ho.nsa.gov>
> Acked-by: Paul Moore <paul@...l-moore.com>
Applied and queued up for -stable, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists