Stephen Smalley wrote:
> Since 4.14-rc1, the selinux-testsuite has been encountering sporadic
> failures during testing of labeled IPSEC. git bisect pointed to
> commit ec30d78c14a813db39a647b6a348b4286 ("xfrm: add xdst pcpu cache").
> The xdst pcpu cache is only checking that the policies are the
Stephen Smalley wrote:
> It is a regression; the correct SA was being used prior to the xdst
> pcpu cache commit.
I don't doubt that at all. I would like to understand why the flow
cache did not have this problem.
> easily run on a Fedora VM,
> git clone https://github.com/SELinuxProject/selinu
Paul Moore wrote:
> On Mon, Oct 30, 2017 at 10:58 AM, Stephen Smalley wrote:
> > matching before (as in this patch) or after calling xfrm_bundle_ok()?
>
> I would probably make the LSM call the last check, as you've done; but
> I have to say that is just so it is consistent with the "LSM last"
>
Paul Moore wrote:
> On Wed, Apr 6, 2016 at 5:51 AM, Paolo Abeni wrote:
> > Currently, selinux always registers iptables POSTROUTING hooks regarless of
> > the running policy needs for any action to be performed by them.
> >
> > Even the socket_sock_rcv_skb() is always registered, but it can resul
Paul Moore wrote:
> On Wed, Apr 6, 2016 at 6:14 PM, Florian Westphal wrote:
> > netfilter hooks are per namespace -- so there is hook unregister when
> > netns is destroyed.
>
> Looking around, I see the global and per-namespace registration
> functio
Casey Schaufler wrote:
> On 9/19/2018 4:14 PM, Christian Göttsche wrote:
> > Add the ability to set the security context of packets within the nf_tables
> > framework.
> > Add a nft_object for holding security contexts in the kernel and
> > manipulating packets on the wire.
> > The contexts are
Christian Göttsche wrote:
> > Fixes should go into nf.git whereas feature goes to nf-next.git.
>
> No, that should not be a unroll fix.
> Currently there are no objects registered by the main nf_tables
> module, so for nft_secmark_obj_type I had to introduce this new logic.
I see, ok.
> > > > +
Christian Göttsche wrote:
> Add the ability to set the security context of packets within the nf_tables
> framework.
> Add a nft_object for holding security contexts in the kernel and manipulating
> packets on the wire.
>
> Convert the security context strings at rule addition time to security
Christian Göttsche wrote:
> > Can you change this to:
> >
> > struct nft_secmark {
> > u32 secid;
> > char *ctx;
> > };
>
> Does the nla_policy struct needs an update too? (regarding then .len member)
>
> +static const struct nla_policy nft_secmark_policy[NFTA_SECMARK_MAX + 1] =
Christian Göttsche wrote:
> Add ability to set the connection tracking secmark value.
> Add ability to set the meta secmark value.
Looks good to me.
Acked-by: Florian Westphal
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send
10 matches
Mail list logo
