* 2.6.24-rc8-mm1 and SELinux MLS - not playing nice.... @ 2008-01-18 7:51 Valdis.Kletnieks 2008-01-18 9:17 ` James Morris 0 siblings, 1 reply; 5+ messages in thread From: Valdis.Kletnieks @ 2008-01-18 7:51 UTC (permalink / raw) To: selinux, fedora-selinux-list [-- Attachment #1: Type: text/plain, Size: 1428 bytes --] Posting to both lists because I'm not sure who's at fault here.... System is a Dell Latitude D820, x86_64 kernel, userspace is basically Fedora Rawhide as of earlier today, in particular selinux-policy-mls-3.2.5-12.fc9 Trying to boot a 2.6.24-rc8-mm1 kernel gets me these msgs: security: 5 users, 8 roles, 2043 types, 102 bools, 16 sens, 1024 cats security: 67 classes, 164754 rules security: class peer not defined in policy security: permission recvfrom in class node not defined in policy security: permission sendto in class node not defined in policy security: permission ingress in class netif not defined in policy security: permission egress in class netif not defined in policy security: permission forward_in in class packet not found in policy, bad policy security: the definition of a class is incorrect 2.6.24-rc6-mm1 said this instead: security: class peer not defined in policy security: permission recvfrom in class node not defined in policy security: permission sendto in class node not defined in policy security: permission ingress in class netif not defined in policy security: permission egress in class netif not defined in policy SELinux: policy loaded with handle_unknown=deny and then proceeded to work OK. (I suspect this may be the same thing Andrew Morton hit, but I can't be sure). Anybody got hints on how to move forward? Or is a fixed policy already in the Rawhide pipe? [-- Attachment #2: Type: application/pgp-signature, Size: 226 bytes --] ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: 2.6.24-rc8-mm1 and SELinux MLS - not playing nice.... 2008-01-18 7:51 2.6.24-rc8-mm1 and SELinux MLS - not playing nice Valdis.Kletnieks @ 2008-01-18 9:17 ` James Morris 2008-01-20 5:01 ` Valdis.Kletnieks 0 siblings, 1 reply; 5+ messages in thread From: James Morris @ 2008-01-18 9:17 UTC (permalink / raw) To: Valdis.Kletnieks; +Cc: selinux, fedora-selinux-list, Paul Moore On Fri, 18 Jan 2008, Valdis.Kletnieks@vt.edu wrote: > Posting to both lists because I'm not sure who's at fault here.... > > System is a Dell Latitude D820, x86_64 kernel, userspace is basically > Fedora Rawhide as of earlier today, in particular selinux-policy-mls-3.2.5-12.fc9 > > Trying to boot a 2.6.24-rc8-mm1 kernel gets me these msgs: > > security: 5 users, 8 roles, 2043 types, 102 bools, 16 sens, 1024 cats > security: 67 classes, 164754 rules > security: class peer not defined in policy > security: permission recvfrom in class node not defined in policy > security: permission sendto in class node not defined in policy > security: permission ingress in class netif not defined in policy > security: permission egress in class netif not defined in policy > security: permission forward_in in class packet not found in policy, bad policy > security: the definition of a class is incorrect This looks the same as what akpm hit. Paul Moore has updated his labeled networking patches (see Subject: [RFC PATCH v12 00/18] Labeled networking changes for 2.6.25), and you could try dropping those into the broken out -mm in place of the existing git patch, or just wait for a new -mm. > > 2.6.24-rc6-mm1 said this instead: > > security: class peer not defined in policy > security: permission recvfrom in class node not defined in policy > security: permission sendto in class node not defined in policy > security: permission ingress in class netif not defined in policy > security: permission egress in class netif not defined in policy > SELinux: policy loaded with handle_unknown=deny > > and then proceeded to work OK. > > (I suspect this may be the same thing Andrew Morton hit, but I can't be sure). > > Anybody got hints on how to move forward? Or is a fixed policy already in the > Rawhide pipe? > > -- James Morris <jmorris@namei.org> -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: 2.6.24-rc8-mm1 and SELinux MLS - not playing nice.... 2008-01-18 9:17 ` James Morris @ 2008-01-20 5:01 ` Valdis.Kletnieks 2008-01-20 22:10 ` James Morris 2008-01-22 2:47 ` Paul Moore 0 siblings, 2 replies; 5+ messages in thread From: Valdis.Kletnieks @ 2008-01-20 5:01 UTC (permalink / raw) To: James Morris; +Cc: selinux, fedora-selinux-list, Paul Moore [-- Attachment #1: Type: text/plain, Size: 2661 bytes --] On Fri, 18 Jan 2008 20:17:00 +1100, James Morris said: > This looks the same as what akpm hit. Paul Moore has updated his labeled > networking patches (see Subject: [RFC PATCH v12 00/18] Labeled networking > changes for 2.6.25), and you could try dropping those into the broken out > -mm in place of the existing git patch, or just wait for a new -mm. Confirming - I took V12 0-18, cat'ed it into one file, plopped that on top of the broken-out/git-lblnet.patch and quilted up a test -rc8-mm1 and that booted without complaints - dmesg says: SELinux:8192 avtab hash slots allocated. Num of rules:164754 SELinux:8192 avtab hash slots allocated. Num of rules:164754 security: 5 users, 8 roles, 2043 types, 102 bools, 16 sens, 1024 cats security: 67 classes, 164754 rules security: class peer not defined in policy security: permission recvfrom in class node not defined in policy security: permission sendto in class node not defined in policy security: permission ingress in class netif not defined in policy security: permission egress in class netif not defined in policy security: permission forward_in in class packet not defined in policy security: permission forward_out in class packet not defined in policy SELinux: Completing initialization. SELinux: Setting up existing superblocks. SELinux: initialized (dev dm-0, type ext3), uses xattr SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts SELinux: initialized (dev debugfs, type debugfs), uses genfs_contexts SELinux: initialized (dev configfs, type configfs), uses genfs_contexts SELinux: initialized (dev selinuxfs, type selinuxfs), uses genfs_contexts SELinux: initialized (dev mqueue, type mqueue), uses transition SIDs SELinux: initialized (dev devpts, type devpts), uses transition SIDs SELinux: initialized (dev inotifyfs, type inotifyfs), uses genfs_contexts SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs SELinux: initialized (dev futexfs, type futexfs), uses genfs_contexts SELinux: initialized (dev anon_inodefs, type anon_inodefs), uses genfs_contexts SELinux: initialized (dev pipefs, type pipefs), uses task SIDs SELinux: initialized (dev sockfs, type sockfs), uses task SIDs SELinux: initialized (dev proc, type proc), uses genfs_contexts SELinux: initialized (dev bdev, type bdev), uses genfs_contexts SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts SELinux: policy loaded with handle_unknown=deny type=1403 audit(1200804071.837:2): policy loaded auid=4294967295 ses=4294967295 [-- Attachment #2: Type: application/pgp-signature, Size: 226 bytes --] ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: 2.6.24-rc8-mm1 and SELinux MLS - not playing nice.... 2008-01-20 5:01 ` Valdis.Kletnieks @ 2008-01-20 22:10 ` James Morris 2008-01-22 2:47 ` Paul Moore 1 sibling, 0 replies; 5+ messages in thread From: James Morris @ 2008-01-20 22:10 UTC (permalink / raw) To: Valdis.Kletnieks; +Cc: selinux, fedora-selinux-list, Paul Moore, Andrew Morton On Sun, 20 Jan 2008, Valdis.Kletnieks@vt.edu wrote: > On Fri, 18 Jan 2008 20:17:00 +1100, James Morris said: > > > This looks the same as what akpm hit. Paul Moore has updated his labeled > > networking patches (see Subject: [RFC PATCH v12 00/18] Labeled networking > > changes for 2.6.25), and you could try dropping those into the broken out > > -mm in place of the existing git patch, or just wait for a new -mm. > > Confirming - I took V12 0-18, cat'ed it into one file, plopped that on top > of the broken-out/git-lblnet.patch and quilted up a test -rc8-mm1 and that > booted without complaints - dmesg says: Thanks for testing this! > > SELinux:8192 avtab hash slots allocated. Num of rules:164754 > SELinux:8192 avtab hash slots allocated. Num of rules:164754 > security: 5 users, 8 roles, 2043 types, 102 bools, 16 sens, 1024 cats > security: 67 classes, 164754 rules > security: class peer not defined in policy > security: permission recvfrom in class node not defined in policy > security: permission sendto in class node not defined in policy > security: permission ingress in class netif not defined in policy > security: permission egress in class netif not defined in policy > security: permission forward_in in class packet not defined in policy > security: permission forward_out in class packet not defined in policy > SELinux: Completing initialization. > SELinux: Setting up existing superblocks. > SELinux: initialized (dev dm-0, type ext3), uses xattr > SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs > SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts > SELinux: initialized (dev debugfs, type debugfs), uses genfs_contexts > SELinux: initialized (dev configfs, type configfs), uses genfs_contexts > SELinux: initialized (dev selinuxfs, type selinuxfs), uses genfs_contexts > SELinux: initialized (dev mqueue, type mqueue), uses transition SIDs > SELinux: initialized (dev devpts, type devpts), uses transition SIDs > SELinux: initialized (dev inotifyfs, type inotifyfs), uses genfs_contexts > SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs > SELinux: initialized (dev futexfs, type futexfs), uses genfs_contexts > SELinux: initialized (dev anon_inodefs, type anon_inodefs), uses genfs_contexts > SELinux: initialized (dev pipefs, type pipefs), uses task SIDs > SELinux: initialized (dev sockfs, type sockfs), uses task SIDs > SELinux: initialized (dev proc, type proc), uses genfs_contexts > SELinux: initialized (dev bdev, type bdev), uses genfs_contexts > SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts > SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts > SELinux: policy loaded with handle_unknown=deny > type=1403 audit(1200804071.837:2): policy loaded auid=4294967295 ses=4294967295 > > > -- James Morris <jmorris@namei.org> -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: 2.6.24-rc8-mm1 and SELinux MLS - not playing nice.... 2008-01-20 5:01 ` Valdis.Kletnieks 2008-01-20 22:10 ` James Morris @ 2008-01-22 2:47 ` Paul Moore 1 sibling, 0 replies; 5+ messages in thread From: Paul Moore @ 2008-01-22 2:47 UTC (permalink / raw) To: Valdis.Kletnieks; +Cc: James Morris, selinux, fedora-selinux-list On Sunday 20 January 2008 12:01:41 am Valdis.Kletnieks@vt.edu wrote: > On Fri, 18 Jan 2008 20:17:00 +1100, James Morris said: > > This looks the same as what akpm hit. Paul Moore has updated his labeled > > networking patches (see Subject: [RFC PATCH v12 00/18] Labeled networking > > changes for 2.6.25), and you could try dropping those into the broken out > > -mm in place of the existing git patch, or just wait for a new -mm. > > Confirming - I took V12 0-18, cat'ed it into one file, plopped that on top > of the broken-out/git-lblnet.patch and quilted up a test -rc8-mm1 and that > booted without complaints Thanks for verifying this fix (and for all of the other testing help you've provided recently). -- paul moore linux security @ hp -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2008-01-22 2:57 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2008-01-18 7:51 2.6.24-rc8-mm1 and SELinux MLS - not playing nice Valdis.Kletnieks 2008-01-18 9:17 ` James Morris 2008-01-20 5:01 ` Valdis.Kletnieks 2008-01-20 22:10 ` James Morris 2008-01-22 2:47 ` Paul Moore
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.