Re: SELinux/IP_PASSSEC regression in 4.13-rcX

2017-07-25 Thread Paolo Abeni
On Tue, 2017-07-25 at 10:45 -0400, Paul Moore wrote: > On Tue, Jul 25, 2017 at 5:59 AM, Paolo Abeni wrote: > > On Mon, 2017-07-24 at 22:00 -0400, Paul Moore wrote: > > > > I'm happy to test this, but if you are curious, you can find the > > > > selinux-testsuite at the link

Re: SELinux/IP_PASSSEC regression in 4.13-rcX

2017-07-25 Thread Paul Moore
On Tue, Jul 25, 2017 at 5:59 AM, Paolo Abeni wrote: > On Mon, 2017-07-24 at 22:00 -0400, Paul Moore wrote: >> > I'm happy to test this, but if you are curious, you can find the >> > selinux-testsuite at the link below; the "inet_socket" tests are the >> > ones relevant to this

Re: SELinux/IP_PASSSEC regression in 4.13-rcX

2017-07-25 Thread Paolo Abeni
On Mon, 2017-07-24 at 22:00 -0400, Paul Moore wrote: > > I'm happy to test this, but if you are curious, you can find the > > selinux-testsuite at the link below; the "inet_socket" tests are the > > ones relevant to this problem. > > > > * https://github.com/SELinuxProject/selinux-testsuite

Re: SELinux/IP_PASSSEC regression in 4.13-rcX

2017-07-24 Thread Paul Moore
On Mon, Jul 24, 2017 at 3:00 PM, Paul Moore wrote: > On Mon, Jul 24, 2017 at 12:09 PM, Paolo Abeni wrote: >> Hi, >> >> On Mon, 2017-07-24 at 10:42 -0400, Paul Moore wrote: >>> The change in behavior for userspace makes me a little nervous as >>> there is

Re: SELinux/IP_PASSSEC regression in 4.13-rcX

2017-07-24 Thread Paul Moore
On Mon, Jul 24, 2017 at 12:09 PM, Paolo Abeni wrote: > Hi, > > On Mon, 2017-07-24 at 10:42 -0400, Paul Moore wrote: >> The change in behavior for userspace makes me a little nervous as >> there is no way of knowing how any random application may be coded. >> Even if we are

Re: SELinux/IP_PASSSEC regression in 4.13-rcX

2017-07-24 Thread Paolo Abeni
Hi, On Mon, 2017-07-24 at 10:42 -0400, Paul Moore wrote: > The change in behavior for userspace makes me a little nervous as > there is no way of knowing how any random application may be coded. > Even if we are confident that the majority of applications set > IP_PASSSEC before calling bind(),

Re: SELinux/IP_PASSSEC regression in 4.13-rcX

2017-07-24 Thread Paul Moore
On Mon, Jul 24, 2017 at 8:25 AM, Paolo Abeni wrote: > Hi, > > On Fri, 2017-07-21 at 18:19 -0400, Paul Moore wrote: >> I've been seeing a SELinux regression with IP_PASSSEC on the v4.13-rcX >> kernels and finally tracked the problem down to the >> skb_release_head_state() call

Re: SELinux/IP_PASSSEC regression in 4.13-rcX

2017-07-24 Thread Paolo Abeni
Hi, On Fri, 2017-07-21 at 18:19 -0400, Paul Moore wrote: > I've been seeing a SELinux regression with IP_PASSSEC on the v4.13-rcX > kernels and finally tracked the problem down to the > skb_release_head_state() call in __udp_queue_rcv_skb(). Looking at > the code and the git log it would appear

SELinux/IP_PASSSEC regression in 4.13-rcX

2017-07-21 Thread Paul Moore
Hello, I've been seeing a SELinux regression with IP_PASSSEC on the v4.13-rcX kernels and finally tracked the problem down to the skb_release_head_state() call in __udp_queue_rcv_skb(). Looking at the code and the git log it would appear that the likely culprit is 0a463c78d25b ("udp: avoid a