Re: [PATCH v3 0/7] Inode security label invalidation

On 10/26/2015 05:15 PM, Andreas Gruenbacher wrote: Here is another version of the patch queue to make gfs2 and similar file systems work with SELinux. As suggested by Stephen Smalley [*], the relevant uses of inode->security are wrapped in function calls that try to revalidate invalid labels.

Re: [PATCH v3 3/7] selinux: Get rid of file_path_has_perm

On 10/26/2015 05:15 PM, Andreas Gruenbacher wrote: Use path_has_perm directly instead. This reverts: commit 13f8e9810bff12d01807b6f92329111f45218235 Author: David Howells Date: Thu Jun 13 23:37:55 2013 +0100 SELinux: Institute file_path_has_perm() Create a

[PATCH] selinux: export validatetrans decisions

Make validatetrans decisions available through selinuxfs. "/transition" is added to selinuxfs for this purpose. This functionality is needed by file system servers implemented in userspace or kernelspace without the VFS layer. Writing "$oldcontext $newcontext $tclass $taskcontext" to /transition

Re: [PATCH] selinux: export validatetrans decisions

On 10/27/2015 02:27 PM, Andrew Perepechko wrote: + if (rc) + goto out; + + rc = -ENOMEM; + if (count >= PAGE_SIZE - 1) + goto out; Why PAGE_SIZE-1? This is to avoid allocation of more than a single page. Yes, but you don't need PAGE_SIZE - 1

Re: [PATCH v3 2/7] selinux: Add accessor functions for inode->i_security

On 10/26/2015 05:15 PM, Andreas Gruenbacher wrote: Add functions dentry_security and inode_security for accessing inode->i_security. These functions initially don't do much, but they will later be used to revalidate the security labels when necessary. Signed-off-by: Andreas Gruenbacher