From: Al Viro <viro@zeniv.linux.org.uk>
To: Paul Moore <paul@paul-moore.com>
Cc: selinux@vger.kernel.org, linux-fsdevel@vger.kernel.org,
Linus Torvalds <torvalds@linux-foundation.org>,
Christian Brauner <brauner@kernel.org>,
selinux-refpolicy@vger.kernel.org
Subject: Re: [PATCH][RFC] selinuxfs: saner handling of policy reloads
Date: Wed, 18 Oct 2023 05:35:32 +0100 [thread overview]
Message-ID: <20231018043532.GS800259@ZenIV> (raw)
In-Reply-To: <CAHC9VhTToc-rELe0EyOV4kRtOJuAmPzPB_QNn8Lw_EfMg+Edzw@mail.gmail.com>
On Tue, Oct 17, 2023 at 04:28:53PM -0400, Paul Moore wrote:
> Thanks Al.
>
> Giving this a very quick look, I like the code simplifications that
> come out of this change and I'll trust you on the idea that this
> approach is better from a VFS perspective.
>
> While the reject_all() permission hammer is good, I do want to make
> sure we are covered from a file labeling perspective; even though the
> DAC/reject_all() check hits first and avoids the LSM inode permission
> hook, we still want to make sure the files are labeled properly. It
> looks like given the current SELinux Reference Policy this shouldn't
> be a problem, it will be labeled like most everything else in
> selinuxfs via genfscon (SELinux policy construct). I expect those
> with custom SELinux policies will have something similar in place with
> a sane default that would cover the /sys/fs/selinux/.swapover
> directory but I did add the selinux-refpol list to the CC line just in
> case I'm being dumb and forgetting something important with respect to
> policy.
>
> The next step is to actually boot up a kernel with this patch and make
> sure it doesn't break anything. Simply booting up a SELinux system
> and running 'load_policy' a handful of times should exercise the
> policy (re)load path, and if you want a (relatively) simple SELinux
> test suite you can find one here:
>
> * https://github.com/SELinuxProject/selinux-testsuite
>
> The README.md should have the instructions necessary to get it
> running. If you can't do that, and no one else on the mailing list is
> able to test this out, I'll give it a go but expect it to take a while
> as I'm currently swamped with reviews and other stuff.
It does survive repeated load_policy (as well as semodule -d/semodule -e,
with expected effect on /booleans, AFAICS). As for the testsuite...
No regressions compared to clean -rc5, but then there are (identical)
failures on both - "Failed 8/76 test programs. 88/1046 subtests failed."
Incomplete defconfig, at a guess...
next prev parent reply other threads:[~2023-10-18 4:35 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-16 22:08 [PATCH][RFC] selinuxfs: saner handling of policy reloads Al Viro
2023-10-17 20:28 ` Paul Moore
2023-10-18 4:35 ` Al Viro [this message]
2023-10-19 1:39 ` Paul Moore
2023-10-19 13:10 ` Stephen Smalley
2023-11-13 3:48 ` Paul Moore
2023-10-19 13:02 ` Stephen Smalley
2023-11-13 16:19 ` Paul Moore
2023-11-14 20:57 ` Stephen Smalley
2023-11-14 21:53 ` Al Viro
2023-11-14 21:57 ` Al Viro
2023-11-14 22:24 ` Paul Moore
2023-11-15 13:35 ` Stephen Smalley
2023-11-16 13:16 ` Stephen Smalley
2023-11-16 14:30 ` Stephen Smalley
2023-11-16 17:53 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231018043532.GS800259@ZenIV \
--to=viro@zeniv.linux.org.uk \
--cc=brauner@kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=selinux-refpolicy@vger.kernel.org \
--cc=selinux@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.