All of lore.kernel.org
 help / color / mirror / Atom feed
From: Dominick Grift <dac.override@gmail.com>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: selinux@tycho.nsa.gov
Subject: Re: does load_policy default to loading the lowest polvers available?
Date: Wed, 14 Oct 2015 18:41:46 +0200	[thread overview]
Message-ID: <20151014164145.GA11363@x250> (raw)
In-Reply-To: <561E7D47.7090306@tycho.nsa.gov>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On Wed, Oct 14, 2015 at 12:05:27PM -0400, Stephen Smalley wrote:
> >
> >>AFAIK, systemd just calls selinux_init_load_policy() in libselinux (aka
> >>load_policy -i).  And the approach to selecting a policy version has been
> >>stable for quite a while, so I wouldn't expect the libselinux in the
> >>initramfs to differ in this respect.

I just reboot that machine, and it happened again! So the dangling 29
file was not at all related.

This issue is so weird, and so hard to narrow down.

I have about 7 systems all with the same policy, same selinux userspace, different form factors,
2 laptops (one rawhide, on fedora 23), one worksstation (rawhide) and
4 qemu/kvm guests (all rawhide)

Theyre pretty much all identical from a config point of view except that
the workstation is a hypervisor and router

The workstation is the issue. I am getting avc denials for the same
access vectors (but only on the workstation):

system {status start }

(obivously the rules to allow it are present in the policy)

Is it Linux 4.3 related -> then why does it work on my rawhide laptop,
and kvm guests fine
Is it my policy -> then why does it work on all my other systems fine
Is it hardware related -> seems to be the only explanation but then why
does it not happen consistently? (it happens most of the time when boot
but not always)
Maybe it is a combination of hardware + linux 4.3?

So many questions and so hard to debug...

- -- 
02DFF788
4D30 903A 1CF3 B756 FB48  1514 3148 83A2 02DF F788
https://sks-keyservers.net/pks/lookup?op=get&search=0x314883A202DFF788
Dominick Grift
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQGcBAEBCgAGBQJWHoXEAAoJENAR6kfG5xmc5loL/0w5t5R0q5xzTnufiwMmFAmE
O8Gm9TYSrH/J5IWYGJveEfjH5TVQ3ZXpmPFk32iUb/RZec0B4oBgvSIhWz+LzEyu
Sx0ygz12sXrFkswKbPHiOD1l8ewo5W2m/hdO2x3XB+EUfajwg1x/zo6D+UF0uvMC
qL3fWHvRaQqyeE20CE6L3iiPAKPQs1Y9oLbKv1Lkci7DTEsbQVN47eygyRqeD6p4
qN8LrH9MIh82kFyFUMBynNlWwXqeZSA2awA7Spfw7vWcoQTQEc8QgnfOn5jTky1a
TryUthLoPIVMqm/TdrxngHPrSNWerOdiFpP+3btq6tLcqGX+fsePsFSW3Yv3jNcq
gkG0d+66IvDnIRxCud+YBnARmm6E/r+78YdvYkgm6J8BSIpiSYGL0RRK3JN3olAd
ohVFfEaM10WoqlTOef2Rls8E7R8ewAqS5livd+aDzkviyuikgby4yRZ2KC3qxzhp
ACLe6uBU5179/sBy70QTeOuy4emi384/P/U1r6b6PA==
=idQ1
-----END PGP SIGNATURE-----

  parent reply	other threads:[~2015-10-14 16:41 UTC|newest]

Thread overview: 22+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-10-14 13:34 does load_policy default to loading the lowest polvers available? Dominick Grift
2015-10-14 13:56 ` Stephen Smalley
2015-10-14 14:11   ` Dominick Grift
2015-10-14 14:17     ` Stephen Smalley
2015-10-14 14:29       ` Dominick Grift
2015-10-14 15:44         ` Stephen Smalley
2015-10-14 15:48           ` Dominick Grift
2015-10-14 16:05             ` Stephen Smalley
2015-10-14 16:26               ` Dominick Grift
2015-10-14 16:41               ` Dominick Grift [this message]
2015-10-14 16:53                 ` Stephen Smalley
2015-10-14 17:34                   ` Dominick Grift
2015-10-14 17:38                     ` Dominick Grift
2015-10-14 17:40                       ` Stephen Smalley
2015-10-14 17:51                         ` Dominick Grift
2015-10-14 18:07                         ` Dominick Grift
2015-10-14 20:30                         ` Christopher J. PeBenito
2015-10-14 20:34                           ` Dominick Grift
2015-10-15 11:58                             ` Richard Haines
2015-10-15 12:08                               ` Dominick Grift
2015-10-14 18:52                     ` Stephen Smalley
  -- strict thread matches above, loose matches on Subject: below --
2015-11-26 16:51 Dominick Grift

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20151014164145.GA11363@x250 \
    --to=dac.override@gmail.com \
    --cc=sds@tycho.nsa.gov \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.