[PATCH ghak47 V1] audit: normalize MAC_POLICY_LOAD record

The audit MAC_POLICY_LOAD record had redundant dangling keywords and was missing information about which LSM was responsible and its completion status. While this record is only issued on success, the parser expects the res= field to be present. Old record: type=MAC_POLICY_LOAD msg=audit(14792997

[PATCH ghak46 V1] audit: normalize MAC_STATUS record

There were two formats of the audit MAC_STATUS record, one of which was more standard than the other. One listed enforcing status changes and the other listed enabled status changes with a non-standard label. In addition, the record was missing information about which LSM was responsible and the

Re: [PATCH] selinux: fix missing dput() before selinuxfs unmount

On Mon, Apr 9, 2018 at 11:36 AM, Stephen Smalley wrote: > Commit 0619f0f5e36f ("selinux: wrap selinuxfs state") triggers > a BUG when SELinux is runtime-disabled (i.e. systemd or equivalent > disables SELinux before initial policy load via /sys/fs/selinux/disable > based on /etc/selinux/config SEL

[PATCH] selinux: fix missing dput() before selinuxfs unmount

Commit 0619f0f5e36f ("selinux: wrap selinuxfs state") triggers a BUG when SELinux is runtime-disabled (i.e. systemd or equivalent disables SELinux before initial policy load via /sys/fs/selinux/disable based on /etc/selinux/config SELINUX=disabled). This does not manifest if SELinux is disabled vi

Re: CIL namespaces and blockinheritfilter keyword.

On 04/09/2018 08:07 AM, Dominick Grift wrote: On Mon, Apr 09, 2018 at 01:41:12PM +0200, Lukas Vrabec wrote: On 04/09/2018 10:41 AM, Dominick Grift wrote: On Mon, Apr 09, 2018 at 09:55:23AM +0200, Dominick Grift wrote: On Sun, Apr 08, 2018 at 11:00:53PM +0200, Lukas Vrabec wrote: Hi All, I'm

Re: CIL namespaces and blockinheritfilter keyword.

On Mon, Apr 09, 2018 at 01:41:12PM +0200, Lukas Vrabec wrote: ... snip ... Those wiki pages on SELinuxProject/cil are now pretty out of date (you'll notice that some other statements mentioned there like `template` are not implemented as well). The updated documentation is at https://github.

Re: [GIT PULL] SELinux patches for v4.17

On Mon, Apr 9, 2018 at 6:44 AM, Richard Haines wrote: > On Sun, 2018-04-08 at 19:59 +0100, Richard Haines via Selinux wrote: >> On Mon, 2018-04-09 at 01:43 +0800, Xin Long wrote: >> > On Sun, Apr 8, 2018 at 10:09 PM, Richard Haines >> > wrote: >> > > On Sun, 2018-04-08 at 08:50 -0400, Paul Moore

Re: [GIT PULL] SELinux patches for v4.17

On Sun, Apr 8, 2018 at 10:09 PM, Richard Haines wrote: > On Sun, 2018-04-08 at 08:50 -0400, Paul Moore wrote: >> On April 7, 2018 1:03:57 PM Linus Torvalds > .org> wrote: >> On Sat, Apr 7, 2018 at 9:54 AM, Richard Haines >> wrote: >> >> So please check my resolution, but also somebody should tell

Re: [GIT PULL] SELinux patches for v4.17

On Sat, Apr 7, 2018 at 9:54 AM, Richard Haines wrote: >> >> So please check my resolution, but also somebody should tell me >> "Linus, you're a cretin, sctp_connect() doesn't want that >> security_sctp_bind_connect() at all because it was already done by >> XYZ" > > sctp_connect() or __sctp_connec

Re: [GIT PULL] SELinux patches for v4.17

On Sat, Apr 7, 2018 at 7:07 AM, Linus Torvalds wrote: > On Tue, Apr 3, 2018 at 6:37 PM, Paul Moore wrote: >> >> Everything passes the selinux-testsuite, but there are a few known >> merge conflicts. The first is with the netdev tree and is in >> net/sctp/socket.c. Unfortunately it is a bit ugly

Re: [GIT PULL] SELinux patches for v4.17

On Tue, Apr 3, 2018 at 6:37 PM, Paul Moore wrote: > > Everything passes the selinux-testsuite, but there are a few known > merge conflicts. The first is with the netdev tree and is in > net/sctp/socket.c. Unfortunately it is a bit ugly, thankfully Stephen > Rothwell has already done the heavy li

Re: CIL namespaces and blockinheritfilter keyword.

On Mon, Apr 09, 2018 at 01:41:12PM +0200, Lukas Vrabec wrote: > On 04/09/2018 10:41 AM, Dominick Grift wrote: > > On Mon, Apr 09, 2018 at 09:55:23AM +0200, Dominick Grift wrote: > >> On Sun, Apr 08, 2018 at 11:00:53PM +0200, Lukas Vrabec wrote: > >>> Hi All, > >>> > >>> I'm reading "SELINUX COMMON

Re: CIL namespaces and blockinheritfilter keyword.

On 04/09/2018 10:41 AM, Dominick Grift wrote: > On Mon, Apr 09, 2018 at 09:55:23AM +0200, Dominick Grift wrote: >> On Sun, Apr 08, 2018 at 11:00:53PM +0200, Lukas Vrabec wrote: >>> Hi All, >>> >>> I'm reading "SELINUX COMMON INTERMEDIATE LANGUAGE MOTIVATION AND DESIGN" >>> wiki page [1] and I'm int

Re: CIL namespaces and blockinheritfilter keyword.

On Mon, Apr 09, 2018 at 09:55:23AM +0200, Dominick Grift wrote: > On Sun, Apr 08, 2018 at 11:00:53PM +0200, Lukas Vrabec wrote: > > Hi All, > > > > I'm reading "SELINUX COMMON INTERMEDIATE LANGUAGE MOTIVATION AND DESIGN" > > wiki page [1] and I'm interested in CIL namespaces. I tried several > > e

Re: CIL namespaces and blockinheritfilter keyword.

On Sun, Apr 08, 2018 at 11:00:53PM +0200, Lukas Vrabec wrote: > Hi All, > > I'm reading "SELINUX COMMON INTERMEDIATE LANGUAGE MOTIVATION AND DESIGN" > wiki page [1] and I'm interested in CIL namespaces. I tried several > examples related to blockinheritence and all works just great! > > However,