[GIT PULL] SELinux patches for 3.15

[GIT PULL] SELinux patches for 3.15

[Paul Moore]

Hi James,

Here are the SELinux patches for 3.15.  There are three patches here, the 
first and last are obvious fixes and the middle patch is a straightforward 
DAC-before-MAC fix.  They should merge into the linux-security tree without 
problem.

Enjoy,
-Paul

---
The following changes since commit 41be702a542a0d14bb0b1c16e824fa9ed27616ec:

  Merge tag 'v3.13' into next (2014-01-23 15:52:06 -0500)

are available in the git repository at:


  git://git.infradead.org/users/pcmoore/selinux next

for you to fetch changes up to eee3094683fbc7fe6bcdaef58c1ef31f8460cdca:

  selinux: correctly label /proc inodes in use before the policy is loaded 
(2014-03-05 15:54:57 -0500)

----------------------------------------------------------------
Paul Moore (3):
      selinux: fix the output of ./scripts/get_maintainer.pl for SELinux
      selinux: put the mmap() DAC controls before the MAC controls
      selinux: correctly label /proc inodes in use before the policy is loaded

 MAINTAINERS              |  5 ++---
 security/selinux/hooks.c | 56 +++++++++++++++++++++++++++++-----------------
 2 files changed, 37 insertions(+), 24 deletions(-)

-- 
paul moore
security and virtualization @ redhat

Re: [GIT PULL] SELinux patches for 3.15

[James Morris]

On Fri, 14 Mar 2014, Paul Moore wrote:

> Hi James,
> 
> Here are the SELinux patches for 3.15.  There are three patches here, the 
> first and last are obvious fixes and the middle patch is a straightforward 
> DAC-before-MAC fix.  They should merge into the linux-security tree without 
> problem.
> 
> Enjoy,
> -Paul

Your tree is ahead of mine wrt Linus.  It doesn't apply.




-- 
James Morris
<jmorris@namei.org>

Re: [GIT PULL] SELinux patches for 3.15

[Eric Paris]

You think a security tree based on 3.13-rc7 is good and Paul, who
tested on the actual release of 3.13 is bad?

I know you got yelled at for randomly picking fast forward-ish merge
points, but now you've got a crappy merge point.  Apparently, it was
needed it for the Xen/TPM work (not sure why YOU merged it instead of
the TPM people, but that's beside the point).

But the problem stands.  You are based on a crummy location.  When are
you going to pick up 3.13?  After 3.14 is out?

Seems like Paul's move to include 3.13 made a lot of sense...

On Sun, Mar 16, 2014 at 11:51 PM, James Morris <jmorris@namei.org> wrote:
> On Fri, 14 Mar 2014, Paul Moore wrote:
>
>> Hi James,
>>
>> Here are the SELinux patches for 3.15.  There are three patches here, the
>> first and last are obvious fixes and the middle patch is a straightforward
>> DAC-before-MAC fix.  They should merge into the linux-security tree without
>> problem.
>>
>> Enjoy,
>> -Paul
>
> Your tree is ahead of mine wrt Linus.  It doesn't apply.
>
>
>
>
> --
> James Morris
> <jmorris@namei.org>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [GIT PULL] SELinux patches for 3.15

[Paul Moore]

On Monday, March 17, 2014 07:21:59 AM Eric Paris wrote:
> You think a security tree based on 3.13-rc7 is good and Paul, who
> tested on the actual release of 3.13 is bad?
> 
> I know you got yelled at for randomly picking fast forward-ish merge
> points, but now you've got a crappy merge point.  Apparently, it was
> needed it for the Xen/TPM work (not sure why YOU merged it instead of
> the TPM people, but that's beside the point).
> 
> But the problem stands.  You are based on a crummy location.  When are
> you going to pick up 3.13?  After 3.14 is out?
> 
> Seems like Paul's move to include 3.13 made a lot of sense...

This issue with the linux-security tree keeps coming up and I stand by my 
earlier statements that I would much prefer if the linux-security is based off 
the latest kernel release, e.g. 3.13 as of today.  This seems to be in keeping 
with Linus' comments, fits with what Eric was doing back when he managed the 
SELinux tree, and strikes a nice balance between stability and "newness".  I 
plan on continuing with this approach for the SELinux tree.

However, I don't want the 3.15 patches to get lost due to these stupid 
differences so I've created a new branch that has the SELinux 3.15 patches 
applied on top of linux-security#next.

 * git://git.infradead.org/users/pcmoore/selinux next
 
> On Sun, Mar 16, 2014 at 11:51 PM, James Morris <jmorris@namei.org> wrote:
> > On Fri, 14 Mar 2014, Paul Moore wrote:
> >> Hi James,
> >> 
> >> Here are the SELinux patches for 3.15.  There are three patches here, the
> >> first and last are obvious fixes and the middle patch is a
> >> straightforward
> >> DAC-before-MAC fix.  They should merge into the linux-security tree
> >> without
> >> problem.
> >> 
> >> Enjoy,
> >> -Paul
> > 
> > Your tree is ahead of mine wrt Linus.  It doesn't apply.

-- 
paul moore
security and virtualization @ redhat

Re: [GIT PULL] SELinux patches for 3.15

[James Morris]

On Mon, 17 Mar 2014, Paul Moore wrote:

> On Monday, March 17, 2014 07:21:59 AM Eric Paris wrote:
> > You think a security tree based on 3.13-rc7 is good and Paul, who
> > tested on the actual release of 3.13 is bad?
> > 
> > I know you got yelled at for randomly picking fast forward-ish merge
> > points, but now you've got a crappy merge point.  Apparently, it was
> > needed it for the Xen/TPM work (not sure why YOU merged it instead of
> > the TPM people, but that's beside the point).
> > 
> > But the problem stands.  You are based on a crummy location.  When are
> > you going to pick up 3.13?  After 3.14 is out?
> > 
> > Seems like Paul's move to include 3.13 made a lot of sense...
> 
> This issue with the linux-security tree keeps coming up and I stand by my 
> earlier statements that I would much prefer if the linux-security is based off 
> the latest kernel release, e.g. 3.13 as of today.  This seems to be in keeping 
> with Linus' comments, fits with what Eric was doing back when he managed the 
> SELinux tree, and strikes a nice balance between stability and "newness".  I 
> plan on continuing with this approach for the SELinux tree.

Ok, I'll try syncing to major releases from 3.14.


> 
> However, I don't want the 3.15 patches to get lost due to these stupid 
> differences so I've created a new branch that has the SELinux 3.15 patches 
> applied on top of linux-security#next.
> 
>  * git://git.infradead.org/users/pcmoore/selinux next
>  
> > On Sun, Mar 16, 2014 at 11:51 PM, James Morris <jmorris@namei.org> wrote:
> > > On Fri, 14 Mar 2014, Paul Moore wrote:
> > >> Hi James,
> > >> 
> > >> Here are the SELinux patches for 3.15.  There are three patches here, the
> > >> first and last are obvious fixes and the middle patch is a
> > >> straightforward
> > >> DAC-before-MAC fix.  They should merge into the linux-security tree
> > >> without
> > >> problem.
> > >> 
> > >> Enjoy,
> > >> -Paul
> > > 
> > > Your tree is ahead of mine wrt Linus.  It doesn't apply.
> 
> -- 
> paul moore
> security and virtualization @ redhat
> 

-- 
James Morris
<jmorris@namei.org>

Re: [GIT PULL] SELinux patches for 3.15

[James Morris]

On Mon, 17 Mar 2014, Paul Moore wrote:

> On Monday, March 17, 2014 07:21:59 AM Eric Paris wrote:
> > You think a security tree based on 3.13-rc7 is good and Paul, who
> > tested on the actual release of 3.13 is bad?
> > 
> > I know you got yelled at for randomly picking fast forward-ish merge
> > points, but now you've got a crappy merge point.  Apparently, it was
> > needed it for the Xen/TPM work (not sure why YOU merged it instead of
> > the TPM people, but that's beside the point).
> > 
> > But the problem stands.  You are based on a crummy location.  When are
> > you going to pick up 3.13?  After 3.14 is out?
> > 
> > Seems like Paul's move to include 3.13 made a lot of sense...
> 
> This issue with the linux-security tree keeps coming up and I stand by my 
> earlier statements that I would much prefer if the linux-security is based off 
> the latest kernel release, e.g. 3.13 as of today.  This seems to be in keeping 
> with Linus' comments, fits with what Eric was doing back when he managed the 
> SELinux tree, and strikes a nice balance between stability and "newness".  I 
> plan on continuing with this approach for the SELinux tree.
> 
> However, I don't want the 3.15 patches to get lost due to these stupid 
> differences so I've created a new branch that has the SELinux 3.15 patches 
> applied on top of linux-security#next.
> 
>  * git://git.infradead.org/users/pcmoore/selinux next

What's the new branch?  That seems to be the same.


-- 
James Morris
<jmorris@namei.org>

Re: [GIT PULL] SELinux patches for 3.15

[Paul Moore]

[-- Attachment #1: Type: text/plain, Size: 1936 bytes --]

My apologies, the new branch is "next-jmorris".

--
paul moore
www.paul-moore.com
On Mar 17, 2014 10:26 PM, "James Morris" <jmorris@namei.org> wrote:

> On Mon, 17 Mar 2014, Paul Moore wrote:
>
> > On Monday, March 17, 2014 07:21:59 AM Eric Paris wrote:
> > > You think a security tree based on 3.13-rc7 is good and Paul, who
> > > tested on the actual release of 3.13 is bad?
> > >
> > > I know you got yelled at for randomly picking fast forward-ish merge
> > > points, but now you've got a crappy merge point.  Apparently, it was
> > > needed it for the Xen/TPM work (not sure why YOU merged it instead of
> > > the TPM people, but that's beside the point).
> > >
> > > But the problem stands.  You are based on a crummy location.  When are
> > > you going to pick up 3.13?  After 3.14 is out?
> > >
> > > Seems like Paul's move to include 3.13 made a lot of sense...
> >
> > This issue with the linux-security tree keeps coming up and I stand by my
> > earlier statements that I would much prefer if the linux-security is
> based off
> > the latest kernel release, e.g. 3.13 as of today.  This seems to be in
> keeping
> > with Linus' comments, fits with what Eric was doing back when he managed
> the
> > SELinux tree, and strikes a nice balance between stability and
> "newness".  I
> > plan on continuing with this approach for the SELinux tree.
> >
> > However, I don't want the 3.15 patches to get lost due to these stupid
> > differences so I've created a new branch that has the SELinux 3.15
> patches
> > applied on top of linux-security#next.
> >
> >  * git://git.infradead.org/users/pcmoore/selinux next
>
> What's the new branch?  That seems to be the same.
>
>
> --
> James Morris
> <jmorris@namei.org>
> --
> To unsubscribe from this list: send the line "unsubscribe
> linux-security-module" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

[-- Attachment #2: Type: text/html, Size: 2768 bytes --]

Re: [GIT PULL] SELinux patches for 3.15

[Paul Moore]

On Tuesday, March 18, 2014 01:26:40 PM James Morris wrote:
> On Mon, 17 Mar 2014, Paul Moore wrote:
> > On Monday, March 17, 2014 07:21:59 AM Eric Paris wrote:
> > > You think a security tree based on 3.13-rc7 is good and Paul, who
> > > tested on the actual release of 3.13 is bad?
> > > 
> > > I know you got yelled at for randomly picking fast forward-ish merge
> > > points, but now you've got a crappy merge point.  Apparently, it was
> > > needed it for the Xen/TPM work (not sure why YOU merged it instead of
> > > the TPM people, but that's beside the point).
> > > 
> > > But the problem stands.  You are based on a crummy location.  When are
> > > you going to pick up 3.13?  After 3.14 is out?
> > > 
> > > Seems like Paul's move to include 3.13 made a lot of sense...
> > 
> > This issue with the linux-security tree keeps coming up and I stand by my
> > earlier statements that I would much prefer if the linux-security is based
> > off the latest kernel release, e.g. 3.13 as of today.  This seems to be
> > in keeping with Linus' comments, fits with what Eric was doing back when
> > he managed the SELinux tree, and strikes a nice balance between stability
> > and "newness".  I plan on continuing with this approach for the SELinux
> > tree.
> > 
> > However, I don't want the 3.15 patches to get lost due to these stupid
> > differences so I've created a new branch that has the SELinux 3.15 patches
> > applied on top of linux-security#next.
> > 
> >  * git://git.infradead.org/users/pcmoore/selinux next
> 
> What's the new branch?  That seems to be the same.

My mistake, the new branch is "next-jmorris".

[This is likely a duplicate for some of you, my phone sent a html message last 
time so it was dropped by the list.]

-- 
paul moore
security and virtualization @ redhat

Re: [GIT PULL] SELinux patches for 3.15

[James Morris]

On Tue, 18 Mar 2014, Paul Moore wrote:

> On Tuesday, March 18, 2014 01:26:40 PM James Morris wrote:
> > On Mon, 17 Mar 2014, Paul Moore wrote:
> > > On Monday, March 17, 2014 07:21:59 AM Eric Paris wrote:
> > > > You think a security tree based on 3.13-rc7 is good and Paul, who
> > > > tested on the actual release of 3.13 is bad?
> > > > 
> > > > I know you got yelled at for randomly picking fast forward-ish merge
> > > > points, but now you've got a crappy merge point.  Apparently, it was
> > > > needed it for the Xen/TPM work (not sure why YOU merged it instead of
> > > > the TPM people, but that's beside the point).
> > > > 
> > > > But the problem stands.  You are based on a crummy location.  When are
> > > > you going to pick up 3.13?  After 3.14 is out?
> > > > 
> > > > Seems like Paul's move to include 3.13 made a lot of sense...
> > > 
> > > This issue with the linux-security tree keeps coming up and I stand by my
> > > earlier statements that I would much prefer if the linux-security is based
> > > off the latest kernel release, e.g. 3.13 as of today.  This seems to be
> > > in keeping with Linus' comments, fits with what Eric was doing back when
> > > he managed the SELinux tree, and strikes a nice balance between stability
> > > and "newness".  I plan on continuing with this approach for the SELinux
> > > tree.
> > > 
> > > However, I don't want the 3.15 patches to get lost due to these stupid
> > > differences so I've created a new branch that has the SELinux 3.15 patches
> > > applied on top of linux-security#next.
> > > 
> > >  * git://git.infradead.org/users/pcmoore/selinux next
> > 
> > What's the new branch?  That seems to be the same.
> 
> My mistake, the new branch is "next-jmorris".

195 files changed, 1348 insertions(+), 885 deletions(-)

You should be using my next branch as your upstream.



-- 
James Morris
<jmorris@namei.org>

Re: [GIT PULL] SELinux patches for 3.15

[Eric Paris]

Paul merged your -next branch into his branch which already included
3.13, and then rebased his new patches on top of that.  So he's still
ahead of you.  I honestly believe pulling what he first requested is
the right thing.  But since James won't pull...

 Paul, I think you need to instead do a

BEFORE_MERGE=8ed814602876bec9bad2649ca17f34b499357a1c
BEFORE_FIRST_COMMIT=2146749d6db31f82691290dcad0827bb6a84d06b~1
LAST_COMMIT=3a501ff06773c33571eac7c6c425c10c99f08401

git rebase --onto $BEFORE_MERGE $BEFORE_FIRST_COMMIT $LAST_COMMIT
git branch -D next-jmorris #delete this last next-jmorris which contains 3.13
git checkout -b next-jmorris #recreate next-jmorris based on the last
SELinux tree
git push -f origin jmorris-next:jmorris-next

-Eric

On Tue, Mar 18, 2014 at 5:50 PM, James Morris <jmorris@namei.org> wrote:
> On Tue, 18 Mar 2014, Paul Moore wrote:
>
>> On Tuesday, March 18, 2014 01:26:40 PM James Morris wrote:
>> > On Mon, 17 Mar 2014, Paul Moore wrote:
>> > > On Monday, March 17, 2014 07:21:59 AM Eric Paris wrote:
>> > > > You think a security tree based on 3.13-rc7 is good and Paul, who
>> > > > tested on the actual release of 3.13 is bad?
>> > > >
>> > > > I know you got yelled at for randomly picking fast forward-ish merge
>> > > > points, but now you've got a crappy merge point.  Apparently, it was
>> > > > needed it for the Xen/TPM work (not sure why YOU merged it instead of
>> > > > the TPM people, but that's beside the point).
>> > > >
>> > > > But the problem stands.  You are based on a crummy location.  When are
>> > > > you going to pick up 3.13?  After 3.14 is out?
>> > > >
>> > > > Seems like Paul's move to include 3.13 made a lot of sense...
>> > >
>> > > This issue with the linux-security tree keeps coming up and I stand by my
>> > > earlier statements that I would much prefer if the linux-security is based
>> > > off the latest kernel release, e.g. 3.13 as of today.  This seems to be
>> > > in keeping with Linus' comments, fits with what Eric was doing back when
>> > > he managed the SELinux tree, and strikes a nice balance between stability
>> > > and "newness".  I plan on continuing with this approach for the SELinux
>> > > tree.
>> > >
>> > > However, I don't want the 3.15 patches to get lost due to these stupid
>> > > differences so I've created a new branch that has the SELinux 3.15 patches
>> > > applied on top of linux-security#next.
>> > >
>> > >  * git://git.infradead.org/users/pcmoore/selinux next
>> >
>> > What's the new branch?  That seems to be the same.
>>
>> My mistake, the new branch is "next-jmorris".
>
> 195 files changed, 1348 insertions(+), 885 deletions(-)
>
> You should be using my next branch as your upstream.
>
>
>
> --
> James Morris
> <jmorris@namei.org>

Re: [GIT PULL] SELinux patches for 3.15

[Paul Moore]

On Wednesday, March 19, 2014 08:50:03 AM James Morris wrote:
> On Tue, 18 Mar 2014, Paul Moore wrote:
> > On Tuesday, March 18, 2014 01:26:40 PM James Morris wrote:
> > > On Mon, 17 Mar 2014, Paul Moore wrote:
> > > > This issue with the linux-security tree keeps coming up and I stand by
> > > > my earlier statements that I would much prefer if the linux-security
> > > > is based off the latest kernel release, e.g. 3.13 as of today.  This
> > > > seems to be in keeping with Linus' comments, fits with what Eric was
> > > > doing back when he managed the SELinux tree, and strikes a nice
> > > > balance between stability and "newness".  I plan on continuing with
> > > > this approach for the SELinux tree.
> > > > 
> > > > However, I don't want the 3.15 patches to get lost due to these stupid
> > > > differences so I've created a new branch that has the SELinux 3.15
> > > > patches applied on top of linux-security#next.
> > > > 
> > > >  * git://git.infradead.org/users/pcmoore/selinux next
> > > 
> > > What's the new branch?  That seems to be the same.
> > 
> > My mistake, the new branch is "next-jmorris".
> 
> 195 files changed, 1348 insertions(+), 885 deletions(-)

It should be more to your liking now.

# git pull git://git.infradead.org/users/pcmoore/selinux next-jmorris
remote: Counting objects: 15, done.
remote: Compressing objects: 100% (11/11), done.
remote: Total 11 (delta 8), reused 0 (delta 0)
Unpacking objects: 100% (11/11), done.
>From git://git.infradead.org/users/pcmoore/selinux
 * branch            next-jmorris -> FETCH_HEAD
Updating 33b2533..f64410e
Fast-forward
 security/selinux/hooks.c | 56 
++++++++++++++++++++++++++++++------------------
 1 file changed, 35 insertions(+), 21 deletions(-)

-- 
paul moore
security and virtualization @ redhat

Re: [GIT PULL] SELinux patches for 3.15

[James Morris]

On Wed, 19 Mar 2014, Paul Moore wrote:

> On Wednesday, March 19, 2014 08:50:03 AM James Morris wrote:
> > On Tue, 18 Mar 2014, Paul Moore wrote:
> > > On Tuesday, March 18, 2014 01:26:40 PM James Morris wrote:
> > > > On Mon, 17 Mar 2014, Paul Moore wrote:
> > > > > This issue with the linux-security tree keeps coming up and I stand by
> > > > > my earlier statements that I would much prefer if the linux-security
> > > > > is based off the latest kernel release, e.g. 3.13 as of today.  This
> > > > > seems to be in keeping with Linus' comments, fits with what Eric was
> > > > > doing back when he managed the SELinux tree, and strikes a nice
> > > > > balance between stability and "newness".  I plan on continuing with
> > > > > this approach for the SELinux tree.
> > > > > 
> > > > > However, I don't want the 3.15 patches to get lost due to these stupid
> > > > > differences so I've created a new branch that has the SELinux 3.15
> > > > > patches applied on top of linux-security#next.
> > > > > 
> > > > >  * git://git.infradead.org/users/pcmoore/selinux next
> > > > 
> > > > What's the new branch?  That seems to be the same.
> > > 
> > > My mistake, the new branch is "next-jmorris".
> > 
> > 195 files changed, 1348 insertions(+), 885 deletions(-)
> 
> It should be more to your liking now.
> 
> # git pull git://git.infradead.org/users/pcmoore/selinux next-jmorris
> remote: Counting objects: 15, done.
> remote: Compressing objects: 100% (11/11), done.
> remote: Total 11 (delta 8), reused 0 (delta 0)
> Unpacking objects: 100% (11/11), done.
> >From git://git.infradead.org/users/pcmoore/selinux
>  * branch            next-jmorris -> FETCH_HEAD
> Updating 33b2533..f64410e
> Fast-forward
>  security/selinux/hooks.c | 56 
> ++++++++++++++++++++++++++++++------------------
>  1 file changed, 35 insertions(+), 21 deletions(-)

Thanks, applied.

-- 
James Morris
<jmorris@namei.org>