[PATCH v2] libsepol, checkpolicy: add binary module support for xperms

Presently we support xperms rules in source policy and in CIL modules. The binary policy module format however was never extended for xperms. This limitation inhibits use of xperms in refpolicy-based policy modules (including the selinux-testsuite policy). Update libsepol to support linking,

Re: [PATCH v2] selinux: log policy capability state when a policy is loaded

On Tue, 2017-05-16 at 16:56 -0400, Paul Moore wrote: > On Fri, May 12, 2017 at 12:44 PM, Stephen Smalley > wrote: > > Log the state of SELinux policy capabilities when a policy is > > loaded. > > For each policy capability known to the kernel, log an > > informational > >

Re: [PATCH v2] selinux: log policy capability state when a policy is loaded

On Fri, May 12, 2017 at 12:44 PM, Stephen Smalley wrote: > Log the state of SELinux policy capabilities when a policy is loaded. > For each policy capability known to the kernel, log an informational > message with the policy capability name and the value set in the policy. >

Re: [PATCH v2] selinux: log policy capability state when a policy is loaded

On Fri, May 12, 2017 at 12:44 PM, Stephen Smalley wrote: > v2 drops the Resolves line since I think we are not supposed to include > bug tracking info in upstream kernel commit messages (correct me if wrong). For future reference, I would encourage people to provide links to

Re: [PATCH v5 1/2] selinux: add brief info to policydb

On Tue, 2017-05-16 at 18:51 +0900, Sebastien Buisson wrote: > Add policybrief field to struct policydb. It holds a brief info > of the policydb, made of colon separated name and value pairs > that give information about how the policy is applied in the > security module(s). > Note that the

Re: selinux: Use an other error code for an input validation failure in sidtab_insert()

> Have you tested this to determine any impact it may have on the > SELinux userspace? Not yet. > I would agree that EINVAL is probably more appropriate in this case, Thanks that a part of your view seems to fit also to mine. > but changing this return code has very little value I would

Re: [PATCH v1 7/9] semanage: Update semanage to allow runtime labeling of Infiniband Pkeys

On 5/16/2017 2:36 PM, Stephen Smalley wrote: > On Tue, 2017-05-16 at 19:34 +, Daniel Jurgens wrote: >> On 5/16/2017 2:30 PM, Stephen Smalley wrote: >>> On Mon, 2017-05-15 at 23:42 +0300, Dan Jurgens wrote: From: Daniel Jurgens Update libsepol and

Re: [PATCH] selinux: only invoke capabilities and selinux for CAP_MAC_ADMIN checks

On Thu, Apr 20, 2017 at 11:31 AM, Stephen Smalley wrote: > SELinux uses CAP_MAC_ADMIN to control the ability to get or set a raw, > uninterpreted security context unknown to the currently loaded security > policy. When performing these checks, we only want to perform a base >

Re: [PATCH v1 7/9] semanage: Update semanage to allow runtime labeling of Infiniband Pkeys

On Tue, 2017-05-16 at 19:34 +, Daniel Jurgens wrote: > On 5/16/2017 2:30 PM, Stephen Smalley wrote: > > On Mon, 2017-05-15 at 23:42 +0300, Dan Jurgens wrote: > > > From: Daniel Jurgens > > > > > > Update libsepol and libsemanage to work with pkey records. Add > > >

Re: [PATCH v1 7/9] semanage: Update semanage to allow runtime labeling of Infiniband Pkeys

On 5/16/2017 2:30 PM, Stephen Smalley wrote: > On Mon, 2017-05-15 at 23:42 +0300, Dan Jurgens wrote: >> From: Daniel Jurgens >> >> Update libsepol and libsemanage to work with pkey records. Add local >> storage for new and modified pkey records in pkeys.local. Update >>

Re: [PATCH v1 7/9] semanage: Update semanage to allow runtime labeling of Infiniband Pkeys

On Mon, 2017-05-15 at 23:42 +0300, Dan Jurgens wrote: > From: Daniel Jurgens > > Update libsepol and libsemanage to work with pkey records. Add local > storage for new and modified pkey records in pkeys.local. Update > semanage > to parse the pkey command options to add,

Re: [PATCH 3/3] selinux: Use an other error code for an input validation failure in sidtab_insert()

On Tue, Apr 4, 2017 at 7:16 AM, SF Markus Elfring wrote: > From: Markus Elfring > Date: Tue, 4 Apr 2017 12:23:41 +0200 > > The error code "-ENOMEM" was also returned so far when the parameter "s" > of this function contained a null

Re: [PATCH 2/3] selinux: Return an error code only as a constant in sidtab_insert()

On Tue, Apr 4, 2017 at 7:14 AM, SF Markus Elfring wrote: > From: Markus Elfring > Date: Tue, 4 Apr 2017 11:33:53 +0200 > > * Return an error code without storing it in an intermediate variable. > > * Delete the local variable "rc" and

Re: [PATCH v1 7/9] semanage: Update semanage to allow runtime labeling of Infiniband Pkeys

On Mon, 2017-05-15 at 23:42 +0300, Dan Jurgens wrote: > From: Daniel Jurgens > > Update libsepol and libsemanage to work with pkey records. Add local > storage for new and modified pkey records in pkeys.local. Update > semanage > to parse the pkey command options to add,

Re: [PATCH v1 4/9] checkpolicy: Add support for ibendportcon labels

On Mon, 2017-05-15 at 23:42 +0300, Dan Jurgens wrote: > From: Daniel Jurgens > > Add checkpolicy support for scanning and parsing ibendportcon labels. > Also create a new ocontext for IB end ports. > > Signed-off-by: Daniel Jurgens > > --- > v1: >

Re: [PATCH v1 2/9] libsepol: Add ibpkey ocontext handling

On Tue, 2017-05-16 at 14:43 -0400, Stephen Smalley wrote: > On Mon, 2017-05-15 at 23:42 +0300, Dan Jurgens wrote: > > From: Daniel Jurgens > > > > Add support for reading, writing, and copying Infinabinda Pkey  > > Infiniband > > > ocontext > > data. Also add support for

Re: [PATCH v1 2/9] libsepol: Add ibpkey ocontext handling

On Mon, 2017-05-15 at 23:42 +0300, Dan Jurgens wrote: > From: Daniel Jurgens > > Add support for reading, writing, and copying Infinabinda Pkey Infiniband > ocontext > data. Also add support for querying a Pkey sid to checkpolicy. > > Signed-off-by: Daniel Jurgens

Re: [PATCH 1/3] selinux: Return directly after a failed memory allocation in policydb_index()

On Tue, Apr 4, 2017 at 7:12 AM, SF Markus Elfring wrote: > From: Markus Elfring > Date: Tue, 4 Apr 2017 10:20:46 +0200 > > Replace five goto statements (and previous variable assignments) by > direct returns after a memory allocation

Re: [PATCH] selinux: Use task_alloc hook rather than task_create hook

On Fri, Mar 31, 2017 at 3:20 PM, Paul Moore wrote: > On Thu, Mar 30, 2017 at 7:13 AM, Tetsuo Handa > wrote: >> Paul Moore wrote: >>> > Signed-off-by: Tetsuo Handa >>> > Acked-by: Stephen Smalley

Re: [PATCH v1 1/9] checkpolicy: Add support for ibpkeycon labels

On Mon, 2017-05-15 at 23:42 +0300, Dan Jurgens wrote: > From: Daniel Jurgens > > Add checkpolicy support for scanning and parsing ibpkeycon labels. > Also > create a new ocontext for Infiniband Pkeys and define a new policydb > version for infiniband support. > >

Re: [PATCH v1 8/9] semanage: Update semanage to allow runtime labeling of ibendports

On 5/16/2017 11:48 AM, Jason Zaman wrote: > On Mon, May 15, 2017 at 11:42:40PM +0300, Dan Jurgens wrote: >> From: Daniel Jurgens >> >> Update libsepol and libsemanage to work with ibendport records. Add local >> storage for new and modified ibendport records in

Re: [PATCH v4 1/2] selinux: add brief info to policydb

> Add security_policy_brief hook to give access to policy brief to > the rest of the kernel. Lustre client makes use of this information > to detect changes to the policy, and forward it to Lustre servers. > Depending on how the policy is enforced on Lustre client side, > Lustre servers can refuse

[PATCH v5 1/2] selinux: add brief info to policydb

Add policybrief field to struct policydb. It holds a brief info of the policydb, made of colon separated name and value pairs that give information about how the policy is applied in the security module(s). Note that the ordering of the fields in the string may change. Policy brief is computed

[PATCH v5 2/2] selinux: expose policy brief via selinuxfs

Expose policy brief via selinuxfs. Signed-off-by: Sebastien Buisson --- security/selinux/selinuxfs.c | 26 ++ 1 file changed, 26 insertions(+) diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c index e8fe914..2561f96 100644 ---