Re: [PATCH v3 0/7] Inode security label invalidation

2015-10-28 Thread Andreas Gruenbacher 
On Wed, Oct 28, 2015 at 10:12 PM, Paul Moore  wrote:
> On Mon, Oct 26, 2015 at 5:15 PM, Andreas Gruenbacher
>  wrote:
>> Here is another version of the patch queue to make gfs2 and similar file
>> systems work with SELinux.  As suggested by Stephen Smalley [*], the relevant
>> uses of inode->security are wrapped in function calls that try to revalidate
>> invalid labels.
>>
>>   [*] http://marc.info/?l=linux-kernel=144416710207686=2
>>
>> The patches are looking good from my point of view; is there anything else 
>> that
>> needs addressing?
>
> Hi Andreas,
>
> I'm largely staying out of the way on this patchset as Stephen has
> been providing good review and feedback (I see he identified a few
> more things in this latest revision),

Yes, Stephen is being very helpful.

> however, before I accept this
> upstream I'd like to see an ACK from one of the GFS developers on the
> last patch which touches the code under fs/gfs2.

Sure, no worries there ...

Thanks,
Andreas
--
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH v3 0/7] Inode security label invalidation

2015-10-27 Thread Stephen Smalley 

On 10/26/2015 05:15 PM, Andreas Gruenbacher wrote:

Here is another version of the patch queue to make gfs2 and similar file
systems work with SELinux.  As suggested by Stephen Smalley [*], the relevant
uses of inode->security are wrapped in function calls that try to revalidate
invalid labels.

   [*] http://marc.info/?l=linux-kernel=144416710207686=2

The patches are looking good from my point of view; is there anything else that
needs addressing?

Does SELinux have test suites that these patches could be tested agains?


git clone https://github.com/SELinuxProject/selinux-testsuite
sudo yum install perl-Test perl-Test-Harness selinux-policy-devel gcc 
libselinux-devel net-tools netlabel_tools iptables

cd selinux-testsuite
sudo make test



Thanks,
Andreas

Andreas Gruenbacher (7):
   selinux: Remove unused variable in selinux_inode_init_security
   selinux: Add accessor functions for inode->i_security
   selinux: Get rid of file_path_has_perm
   selinux: Push dentry down from {dentry,path,file}_has_perm
   security: Add hook to invalidate inode security labels
   selinux: Revalidate invalid inode security labels
   gfs2: Invalide security labels of inodes when they go invalid

  fs/gfs2/glops.c   |   2 +
  include/linux/lsm_hooks.h |   6 ++
  include/linux/security.h  |   5 +
  security/security.c   |   8 ++
  security/selinux/hooks.c  | 213 ++
  security/selinux/include/objsec.h |   6 ++
  6 files changed, 152 insertions(+), 88 deletions(-)



--
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH v3 0/7] Inode security label invalidation

2015-10-26 Thread Andreas Gruenbacher 
Here is another version of the patch queue to make gfs2 and similar file
systems work with SELinux.  As suggested by Stephen Smalley [*], the relevant
uses of inode->security are wrapped in function calls that try to revalidate
invalid labels.

  [*] http://marc.info/?l=linux-kernel=144416710207686=2

The patches are looking good from my point of view; is there anything else that
needs addressing?

Does SELinux have test suites that these patches could be tested agains?

Thanks,
Andreas

Andreas Gruenbacher (7):
  selinux: Remove unused variable in selinux_inode_init_security
  selinux: Add accessor functions for inode->i_security
  selinux: Get rid of file_path_has_perm
  selinux: Push dentry down from {dentry,path,file}_has_perm
  security: Add hook to invalidate inode security labels
  selinux: Revalidate invalid inode security labels
  gfs2: Invalide security labels of inodes when they go invalid

 fs/gfs2/glops.c   |   2 +
 include/linux/lsm_hooks.h |   6 ++
 include/linux/security.h  |   5 +
 security/security.c   |   8 ++
 security/selinux/hooks.c  | 213 ++
 security/selinux/include/objsec.h |   6 ++
 6 files changed, 152 insertions(+), 88 deletions(-)

-- 
2.5.0

--
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html