Re: [PATCH] selinux: Fix SBLABEL_MNT for NFS mounts

2017-03-30 Thread Stephen Smalley
On Thu, 2017-03-30 at 13:41 -0400, J. Bruce Fields wrote: > On Thu, Mar 30, 2017 at 01:27:07PM -0400, Stephen Smalley wrote: > > On Thu, 2017-03-30 at 09:49 +0200, Tomeu Vizoso wrote: > > > On 29 March 2017 at 23:34, J. Bruce Fields > > > wrote: > > > > On Wed, Mar 29, 2017 at

Re: [PATCH] selinux: Fix SBLABEL_MNT for NFS mounts

2017-03-30 Thread J. Bruce Fields
On Thu, Mar 30, 2017 at 01:27:07PM -0400, Stephen Smalley wrote: > On Thu, 2017-03-30 at 09:49 +0200, Tomeu Vizoso wrote: > > On 29 March 2017 at 23:34, J. Bruce Fields > > wrote: > > > On Wed, Mar 29, 2017 at 05:27:23PM +0200, Tomeu Vizoso wrote: > > > > Labelling of files in

Re: [PATCH] selinux: Fix SBLABEL_MNT for NFS mounts

2017-03-30 Thread Stephen Smalley
On Thu, 2017-03-30 at 09:49 +0200, Tomeu Vizoso wrote: > On 29 March 2017 at 23:34, J. Bruce Fields > wrote: > > On Wed, Mar 29, 2017 at 05:27:23PM +0200, Tomeu Vizoso wrote: > > > Labelling of files in a NFSv4.2 currently fails with ENOTSUPP > > > because > > > the mount

Re: label for /proc directory (before mounting)

2017-03-30 Thread Colin Walters
On Thu, Mar 30, 2017, at 09:44 AM, Stephen Smalley wrote: > You shouldn't hardcode security contexts, ever. Why can't one just fix > the Fedora policy? Do we still even need the <> entries for > /proc in file_contexts in Fedora policy, given that restorecon is now > smart enough to skip any

Re: label for /proc directory (before mounting)

2017-03-30 Thread Dominick Grift
On Thu, Mar 30, 2017 at 09:44:34AM -0400, Stephen Smalley wrote: > On Wed, 2017-03-29 at 17:00 -0400, Colin Walters wrote: > > Hi, see: https://github.com/ostreedev/ostree/pull/768 > > > > TL;DR: Policy (at least Fedora's version) does not specify > > a label for /proc on disk (as distinct from

Re: label for /proc directory (before mounting)

2017-03-30 Thread Stephen Smalley
On Wed, 2017-03-29 at 17:00 -0400, Colin Walters wrote: > Hi, see: https://github.com/ostreedev/ostree/pull/768 > > TL;DR: Policy (at least Fedora's version) does not specify > a label for /proc on disk (as distinct from the `proc_t` from > the genfscon). > > This causes some breakage in

Re: [PATCH] selinux: Use task_alloc hook rather than task_create hook

2017-03-30 Thread Tetsuo Handa
Paul Moore wrote: > > Signed-off-by: Tetsuo Handa > > Acked-by: Stephen Smalley > > --- > > security/selinux/hooks.c | 5 +++-- > > 1 file changed, 3 insertions(+), 2 deletions(-) > > When are you planning to remove the task_create()

Re: [PATCH] selinux: Fix SBLABEL_MNT for NFS mounts

2017-03-30 Thread Tomeu Vizoso
On 29 March 2017 at 23:34, J. Bruce Fields wrote: > On Wed, Mar 29, 2017 at 05:27:23PM +0200, Tomeu Vizoso wrote: >> Labelling of files in a NFSv4.2 currently fails with ENOTSUPP because >> the mount point doesn't have SBLABEL_MNT. >> >> Add specific condition for NFS4

Re: [PATCH] selinux: Remove unnecessary check of array base in selinux_set_mapping()

2017-03-30 Thread Paul Moore
On Thu, Mar 23, 2017 at 1:34 PM, Grant Grundler wrote: > On Thu, Mar 23, 2017 at 5:08 AM, Paul Moore wrote: >> On Wed, Mar 22, 2017 at 8:28 PM, Grant Grundler >> wrote: >>> Ping? Any feedback on this patch? >> >> It's on my

Re: [PATCH] selinux: Fix SBLABEL_MNT for NFS mounts

2017-03-30 Thread J. Bruce Fields
On Wed, Mar 29, 2017 at 05:27:23PM +0200, Tomeu Vizoso wrote: > Labelling of files in a NFSv4.2 currently fails with ENOTSUPP because > the mount point doesn't have SBLABEL_MNT. > > Add specific condition for NFS4 filesystems so it gets correctly > labeled. Huh. Looking at the code, I think