Re: New Blog on how SELinux blocked Docker container escape.

On 01/13/2017 08:48 PM, Daniel J Walsh wrote: > http://rhelblog.redhat.com/2017/01/13/docker-0-day-stopped-cold-by-selinux/ good job, but a minor suggestion. you raise the impression that SELinux did this, and even though SELinux made this possible, your policy is what actually achieved this by

[PATCH] libselinux: selinux_restorecon: only log no default label warning for caller-supplied pathname

$ touch /tmp/foo $ chcon -t etc_t /tmp/foo $ restorecon /tmp/foo Warning no default label for /tmp/foo $ restorecon -R /tmp/foo Warning no default label for /tmp/foo $ restorecon -R /tmp Signed-off-by: Stephen Smalley --- libselinux/src/selinux_restorecon.c | 7 +-- 1

Re: [PATCH] restorecon manpage: link back to fixfiles

On 13/01/17 19:56, Alan Jenkins wrote: On 13/01/17 19:38, Stephen Smalley wrote: On Fri, 2017-01-13 at 13:29 -0500, Daniel J Walsh wrote: On 01/13/2017 10:27 AM, Stephen Smalley wrote: On Fri, 2017-01-13 at 09:48 -0500, Stephen Smalley wrote: On Thu, 2017-01-12 at 23:42 +, Alan Jenkins

Re: [PATCH] restorecon manpage: link back to fixfiles

On 13/01/17 19:38, Stephen Smalley wrote: On Fri, 2017-01-13 at 13:29 -0500, Daniel J Walsh wrote: On 01/13/2017 10:27 AM, Stephen Smalley wrote: On Fri, 2017-01-13 at 09:48 -0500, Stephen Smalley wrote: On Thu, 2017-01-12 at 23:42 +, Alan Jenkins wrote: My main puzzle here[*] is why

Re: [PATCH] restorecon manpage: link back to fixfiles

On Fri, 2017-01-13 at 13:29 -0500, Daniel J Walsh wrote: > > On 01/13/2017 10:27 AM, Stephen Smalley wrote: > > > > On Fri, 2017-01-13 at 09:48 -0500, Stephen Smalley wrote: > > > > > > On Thu, 2017-01-12 at 23:42 +, Alan Jenkins wrote: > > > > > > > > My main puzzle here[*] is why

[PATCH] selinux-testsuite: extend sockcreate to support other address families

Extend the sockcreate test program to support other address families. This is what I used to manually confirm the other extended socket classes. However, to avoid bloating the required kernel configuration for the selinux-testsuite and because some of the required kernel config options are not

Re: [PATCH] restorecon manpage: link back to fixfiles

On 01/13/2017 10:27 AM, Stephen Smalley wrote: > On Fri, 2017-01-13 at 09:48 -0500, Stephen Smalley wrote: >> On Thu, 2017-01-12 at 23:42 +, Alan Jenkins wrote: >>> My main puzzle here[*] is why `fixfiles` handles sysfs (/sys/) >>> fine, >>> but >>> then there's floods of warnings about

Re: [PATCH] libselinux: replace all malloc + memset by calloc in android label backend.

On Thu, 2017-01-12 at 21:20 -0800, Sandeep Patil wrote: > Signed-off-by: Sandeep Patil Thanks, applied. > --- >  libselinux/src/label_backends_android.c | 9 +++-- >  1 file changed, 3 insertions(+), 6 deletions(-) > > diff --git a/libselinux/src/label_backends_android.c

Re: [PATCH] restorecon manpage: link back to fixfiles

On Thu, 2017-01-12 at 20:47 +, Alan Jenkins wrote: > Perhaps the root cause is actually the same.  I still prefer the > messages from fixfiles though.  It explicitly detected conflicting > labels on hardlinks > > https://bugzilla.redhat.com/show_bug.cgi?id=1411371 On this topic, I have

[PATCH] libselinux: selinux_restorecon: only log no default label warning if recursive

In commit 36f1ccbb574374 ("policycoreutils: setfiles: print error if no default label found"), a warning message was added to setfiles/restorecon if the user explicitly does a restorecon /path/to/foo and /path/to/foo does not have any matching label in file_contexts; in the case of a restorecon -R

Re: [PATCH] restorecon manpage: link back to fixfiles

On Thu, 2017-01-12 at 23:42 +, Alan Jenkins wrote: > My main puzzle here[*] is why `fixfiles` handles sysfs (/sys/) fine, > but  > then there's floods of warnings about debugfs > (/sys/kernel/debug/).  The  > same seems to happen with /dev/ being fine, but not the other > virtual  > fs's with