Re: [PATCH v3 0/7] Inode security label invalidation
On Wed, Oct 28, 2015 at 10:12 PM, Paul Moorewrote: > On Mon, Oct 26, 2015 at 5:15 PM, Andreas Gruenbacher > wrote: >> Here is another version of the patch queue to make gfs2 and similar file >> systems work with SELinux. As suggested by Stephen Smalley [*], the relevant >> uses of inode->security are wrapped in function calls that try to revalidate >> invalid labels. >> >> [*] http://marc.info/?l=linux-kernel=144416710207686=2 >> >> The patches are looking good from my point of view; is there anything else >> that >> needs addressing? > > Hi Andreas, > > I'm largely staying out of the way on this patchset as Stephen has > been providing good review and feedback (I see he identified a few > more things in this latest revision), Yes, Stephen is being very helpful. > however, before I accept this > upstream I'd like to see an ACK from one of the GFS developers on the > last patch which touches the code under fs/gfs2. Sure, no worries there ... Thanks, Andreas -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v3 0/7] Inode security label invalidation
On 10/26/2015 05:15 PM, Andreas Gruenbacher wrote: Here is another version of the patch queue to make gfs2 and similar file systems work with SELinux. As suggested by Stephen Smalley [*], the relevant uses of inode->security are wrapped in function calls that try to revalidate invalid labels. [*] http://marc.info/?l=linux-kernel=144416710207686=2 The patches are looking good from my point of view; is there anything else that needs addressing? Does SELinux have test suites that these patches could be tested agains? git clone https://github.com/SELinuxProject/selinux-testsuite sudo yum install perl-Test perl-Test-Harness selinux-policy-devel gcc libselinux-devel net-tools netlabel_tools iptables cd selinux-testsuite sudo make test Thanks, Andreas Andreas Gruenbacher (7): selinux: Remove unused variable in selinux_inode_init_security selinux: Add accessor functions for inode->i_security selinux: Get rid of file_path_has_perm selinux: Push dentry down from {dentry,path,file}_has_perm security: Add hook to invalidate inode security labels selinux: Revalidate invalid inode security labels gfs2: Invalide security labels of inodes when they go invalid fs/gfs2/glops.c | 2 + include/linux/lsm_hooks.h | 6 ++ include/linux/security.h | 5 + security/security.c | 8 ++ security/selinux/hooks.c | 213 ++ security/selinux/include/objsec.h | 6 ++ 6 files changed, 152 insertions(+), 88 deletions(-) -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH v3 0/7] Inode security label invalidation
Here is another version of the patch queue to make gfs2 and similar file systems work with SELinux. As suggested by Stephen Smalley [*], the relevant uses of inode->security are wrapped in function calls that try to revalidate invalid labels. [*] http://marc.info/?l=linux-kernel=144416710207686=2 The patches are looking good from my point of view; is there anything else that needs addressing? Does SELinux have test suites that these patches could be tested agains? Thanks, Andreas Andreas Gruenbacher (7): selinux: Remove unused variable in selinux_inode_init_security selinux: Add accessor functions for inode->i_security selinux: Get rid of file_path_has_perm selinux: Push dentry down from {dentry,path,file}_has_perm security: Add hook to invalidate inode security labels selinux: Revalidate invalid inode security labels gfs2: Invalide security labels of inodes when they go invalid fs/gfs2/glops.c | 2 + include/linux/lsm_hooks.h | 6 ++ include/linux/security.h | 5 + security/security.c | 8 ++ security/selinux/hooks.c | 213 ++ security/selinux/include/objsec.h | 6 ++ 6 files changed, 152 insertions(+), 88 deletions(-) -- 2.5.0 -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html