[GIT PULL] SELinux patches for v4.17

[richard_c_haines@btinternet.com (Richard Haines)]

On Sun, 2018-04-08 at 08:50 -0400, Paul Moore wrote:
> On April 7, 2018 1:03:57 PM Linus Torvalds <torvalds@linux-foundation
> .org> wrote:
> On Sat, Apr 7, 2018 at 9:54 AM, Richard Haines
> <richard_c_haines@btinternet.com> wrote:
> 
> So please check my resolution, but also somebody should tell me
> "Linus, you're a cretin, sctp_connect() doesn't want that
> security_sctp_bind_connect() at all because it was already done by
> XYZ"
> 
> sctp_connect() or __sctp_connect() do not need to call
> security_sctp_bind_connect(). This is because the connect(2) call
> will
> handle the checks required via security_socket_connect():
> 
> Ok, thanks, that's exactly what I wanted to get.
> 
> Anyway, somebody should still verify that it all looks good in my
> tree, but I don't actually expect the merge to have had any issues
> even if the refactoring made it a bit more complex than most merges
> are.
> 
> Thanks for the quick response Richard.
> 
> Xin Long looked it over and gave it the thumbs up, I'll take a look
> too, but to be honest I trust his SCTP understanding much more than
> mine.  I also do weekly tests of each rcX release at a minimum so if
> something odd pops up I'll make sure you get a fix.
> 
> Thanks again everyone.

I built the kernel this morning and sorry to spoil the party, but I've
run into a problem with lksctp-tools when running the func_tests:

make v6test
..
..
./test_timetolive_v6
test_timetolive.c  0 INFO : Creating fillmsg of size 3087
test_timetolive.c  1 PASS : Send a message with timeout
test_timetolive.c  2 PASS : Send a message with no timeout
test_timetolive.c  3 PASS : Send a fragmented message with timeout
test_timetolive.c  0 INFO :  **  SLEEPING for 3 seconds **
test_timetolive.c  4 BROK : Got a datamsg of unexpected length:23,
expected length:27
DUMP_CORE sctputil.c: 247
/bin/sh: line 1: 30981 Segmentation fault      (core dumped) ./$a
test_timetolive_v6 fails

make v4 test fails the same way. I'm using lksctp-tools from [1]. I
have not investigated the cause yet as just found this and thought I
should flag first just in case someone has the answer !!!

On the bright side, I've run the sctp-tests from [2] with no problems
and also the selinux-testsuite with my SCTP patch from [3] using an
updated Fedora policy from [4] (with sctp support added), all in
enforcing mode.

Also the LTP test passed:
cd /opt/ltp/
cat runtest/syscalls |grep connect01>runtest/connect-syscall
./runltp -pq -f connect-syscall
....

[1] https://github.com/sctp/lksctp-tools
[2] https://github.com/sctp/sctp-tests
[3] https://marc.info/?l=selinux&m=152156947715709&w=2
[4] https://github.com/fedora-selinux/selinux-policy


> 
> --
> paul moore
> www.paul-moore.com
> 
> 
> 
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html