On Tue, Oct 27, 2015 at 6:20 PM, Stephen Smalley wrote:
> On 10/26/2015 05:15 PM, Andreas Gruenbacher wrote:
>> @@ -2217,7 +2231,7 @@ static int selinux_bprm_set_creds(struct
>> linux_binprm *bprm)
>>
>> old_tsec = current_security();
>> new_tsec =
Hi,
I finally got some chance and progress on redesigning rdma cgroup
controller for the most use cases that we discussed in this email
chain.
I am posting RFC and soon code in new email.
Parav
On Sun, Sep 20, 2015 at 4:05 PM, Haggai Eran wrote:
> On 15/09/2015 06:45,
On 10/28/2015 07:48 AM, Andreas Gruenbacher wrote:
> On Tue, Oct 27, 2015 at 5:40 PM, Stephen Smalley wrote:
>> On 10/26/2015 05:15 PM, Andreas Gruenbacher wrote:
>>>
>>> Use path_has_perm directly instead.
>>
>>
>> This reverts:
>>
>> commit
On 10/28/2015 01:31 PM, Stephen Smalley wrote:
On 10/28/2015 07:48 AM, Andreas Gruenbacher wrote:
On Tue, Oct 27, 2015 at 5:40 PM, Stephen Smalley wrote:
On 10/26/2015 05:15 PM, Andreas Gruenbacher wrote:
Use path_has_perm directly instead.
This reverts:
commit
On 10/27/2015 04:48 PM, Andrew Perepechko wrote:
Make validatetrans decisions available through selinuxfs.
"/validatetrans" is added to selinuxfs for this purpose.
This functionality is needed by file system servers
implemented in userspace or kernelspace without the VFS
layer.
Writing
On Wed, Oct 28, 2015 at 10:12 PM, Paul Moore wrote:
> On Mon, Oct 26, 2015 at 5:15 PM, Andreas Gruenbacher
> wrote:
>> Here is another version of the patch queue to make gfs2 and similar file
>> systems work with SELinux. As suggested by Stephen Smalley
Signed-off-by: Andreas Gruenbacher
Acked-by: Stephen Smalley
---
security/selinux/hooks.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index e4369d8..fc8f626 100644
---
When fetching an inode's security label, check if it is still valid, and
try reloading it if it is not. Reloading will fail when we are in RCU
context which doesn't allow sleeping, or when we can't find a dentry for
the inode. (Reloading happens via iop->getxattr which takes a dentry
parameter.)
When gfs2 releases the glock of an inode, it must invalidate all
information cached for that inode, including the page cache and acls. Use
the new security_inode_invalidate_secctx hook to also invalidate security
labels in that case. These items will be reread from disk when needed
after