Re: [PATCH 2/3] selinux: add checksum to policydb

2017-04-28 Thread Stephen Smalley
On Fri, 2017-04-28 at 18:08 +0200, Sebastien Buisson wrote: > 2017-04-28 17:50 GMT+02:00 Stephen Smalley : > > You seem to be conflating kernel policy with userspace policy. > > security_load_policy() is provided with the kernel policy image, > > which > > is the result of

Re: [PATCH 2/3] selinux: add checksum to policydb

2017-04-28 Thread Stephen Smalley
On Fri, 2017-04-28 at 18:08 +0200, Sebastien Buisson wrote: > 2017-04-28 17:50 GMT+02:00 Stephen Smalley : > > You seem to be conflating kernel policy with userspace policy. > > security_load_policy() is provided with the kernel policy image, > > which > > is the result of linking the

Re: [PATCH 2/3] selinux: add checksum to policydb

2017-04-28 Thread Sebastien Buisson
2017-04-28 17:50 GMT+02:00 Stephen Smalley : > You seem to be conflating kernel policy with userspace policy. > security_load_policy() is provided with the kernel policy image, which > is the result of linking the kernel-relevant portions of all policy > modules together. A

Re: [PATCH 2/3] selinux: add checksum to policydb

2017-04-28 Thread Sebastien Buisson
2017-04-28 17:50 GMT+02:00 Stephen Smalley : > You seem to be conflating kernel policy with userspace policy. > security_load_policy() is provided with the kernel policy image, which > is the result of linking the kernel-relevant portions of all policy > modules together. A hash of that image will

Re: [PATCH 2/3] selinux: add checksum to policydb

2017-04-28 Thread Stephen Smalley
On Fri, 2017-04-28 at 17:16 +0200, Sebastien Buisson wrote: > 2017-04-27 20:47 GMT+02:00 Stephen Smalley : > > > I just checked, with the method of computing the checksum on a > > > (data, > > > len) pair on entry to security_load_policy() the checksum does > > > not > > >

Re: [PATCH 2/3] selinux: add checksum to policydb

2017-04-28 Thread Stephen Smalley
On Fri, 2017-04-28 at 17:16 +0200, Sebastien Buisson wrote: > 2017-04-27 20:47 GMT+02:00 Stephen Smalley : > > > I just checked, with the method of computing the checksum on a > > > (data, > > > len) pair on entry to security_load_policy() the checksum does > > > not > > > change after using

Re: [PATCH 2/3] selinux: add checksum to policydb

2017-04-28 Thread Sebastien Buisson
2017-04-27 20:47 GMT+02:00 Stephen Smalley : >> I just checked, with the method of computing the checksum on a (data, >> len) pair on entry to security_load_policy() the checksum does not >> change after using setsebool. So it seems I would need to call >>

Re: [PATCH 2/3] selinux: add checksum to policydb

2017-04-28 Thread Sebastien Buisson
2017-04-27 20:47 GMT+02:00 Stephen Smalley : >> I just checked, with the method of computing the checksum on a (data, >> len) pair on entry to security_load_policy() the checksum does not >> change after using setsebool. So it seems I would need to call >> security_read_policy() to retrieve the

Re: [PATCH 2/3] selinux: add checksum to policydb

2017-04-27 Thread Stephen Smalley
On Thu, 2017-04-27 at 19:12 +0200, Sebastien Buisson wrote: > 2017-04-27 17:18 GMT+02:00 Stephen Smalley : > > Ok, that should work as long as you just want to validate that all > > the > > clients loaded the same policy file, and aren't concerned about > > non- > > persistent

Re: [PATCH 2/3] selinux: add checksum to policydb

2017-04-27 Thread Stephen Smalley
On Thu, 2017-04-27 at 19:12 +0200, Sebastien Buisson wrote: > 2017-04-27 17:18 GMT+02:00 Stephen Smalley : > > Ok, that should work as long as you just want to validate that all > > the > > clients loaded the same policy file, and aren't concerned about > > non- > > persistent policy boolean

Re: [PATCH 2/3] selinux: add checksum to policydb

2017-04-27 Thread Sebastien Buisson
2017-04-27 17:18 GMT+02:00 Stephen Smalley : > Ok, that should work as long as you just want to validate that all the > clients loaded the same policy file, and aren't concerned about non- > persistent policy boolean changes. As far as I understand, non-persistent policy

Re: [PATCH 2/3] selinux: add checksum to policydb

2017-04-27 Thread Sebastien Buisson
2017-04-27 17:18 GMT+02:00 Stephen Smalley : > Ok, that should work as long as you just want to validate that all the > clients loaded the same policy file, and aren't concerned about non- > persistent policy boolean changes. As far as I understand, non-persistent policy boolean changes can

Re: [PATCH 2/3] selinux: add checksum to policydb

2017-04-27 Thread Stephen Smalley
On Thu, 2017-04-27 at 10:41 +0200, Sebastien Buisson wrote: > 2017-04-26 20:30 GMT+02:00 Stephen Smalley : > > This seems like an odd place to trigger the computation. > > I noticed that the policy as exposed via /sys/fs/selinux/policy can > also be modified in

Re: [PATCH 2/3] selinux: add checksum to policydb

2017-04-27 Thread Stephen Smalley
On Thu, 2017-04-27 at 10:41 +0200, Sebastien Buisson wrote: > 2017-04-26 20:30 GMT+02:00 Stephen Smalley : > > This seems like an odd place to trigger the computation. > > I noticed that the policy as exposed via /sys/fs/selinux/policy can > also be modified in security_set_bools(). That's true,

Re: [PATCH 2/3] selinux: add checksum to policydb

2017-04-27 Thread Sebastien Buisson
2017-04-26 20:30 GMT+02:00 Stephen Smalley : > This seems like an odd place to trigger the computation. I noticed that the policy as exposed via /sys/fs/selinux/policy can also be modified in security_set_bools(). So in order to limit the places from where to compute the

Re: [PATCH 2/3] selinux: add checksum to policydb

2017-04-27 Thread Sebastien Buisson
2017-04-26 20:30 GMT+02:00 Stephen Smalley : > This seems like an odd place to trigger the computation. I noticed that the policy as exposed via /sys/fs/selinux/policy can also be modified in security_set_bools(). So in order to limit the places from where to compute the policy checksum, I moved

Re: [PATCH 2/3] selinux: add checksum to policydb

2017-04-26 Thread Stephen Smalley
On Thu, 2017-04-27 at 00:02 +0900, Sebastien Buisson wrote: > Add policycksum field to struct policydb. It holds the sha256 > checksum computed on the binary policy every time the notifier is > called after a policy change. > Add security_policy_cksum hook to give access to policy checksum to >

Re: [PATCH 2/3] selinux: add checksum to policydb

2017-04-26 Thread Stephen Smalley
On Thu, 2017-04-27 at 00:02 +0900, Sebastien Buisson wrote: > Add policycksum field to struct policydb. It holds the sha256 > checksum computed on the binary policy every time the notifier is > called after a policy change. > Add security_policy_cksum hook to give access to policy checksum to >

[PATCH 2/3] selinux: add checksum to policydb

2017-04-26 Thread Sebastien Buisson
Add policycksum field to struct policydb. It holds the sha256 checksum computed on the binary policy every time the notifier is called after a policy change. Add security_policy_cksum hook to give access to policy checksum to the rest of the kernel. Lustre client makes use of this information.

[PATCH 2/3] selinux: add checksum to policydb

2017-04-26 Thread Sebastien Buisson
Add policycksum field to struct policydb. It holds the sha256 checksum computed on the binary policy every time the notifier is called after a policy change. Add security_policy_cksum hook to give access to policy checksum to the rest of the kernel. Lustre client makes use of this information.