[PATCH] selinux: make mls_compute_sid always polyinstantiate

[PATCH] selinux: make mls_compute_sid always polyinstantiate

[Eamon Walsh]

This patch removes the requirement that the new and related object types 
differ in order to polyinstantiate by MLS level.  This allows MLS 
polyinstantiation to occur in the absence of explicit type_member rules 
or when the type has not changed.

Potential users of this support include pam_namespace.so (directory 
polyinstantiation) and the SELinux X support (property polyinstantiation).

Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
---

 mls.c |   11 ++---------
 1 file changed, 2 insertions(+), 9 deletions(-)


diff --git a/security/selinux/ss/mls.c b/security/selinux/ss/mls.c
index fb5d70a..3bbcb53 100644
--- a/security/selinux/ss/mls.c
+++ b/security/selinux/ss/mls.c
@@ -537,15 +537,8 @@ int mls_compute_sid(struct context *scontext,
 			/* Use the process effective MLS attributes. */
 			return mls_context_cpy_low(newcontext, scontext);
 	case AVTAB_MEMBER:
-		/* Only polyinstantiate the MLS attributes if
-		   the type is being polyinstantiated */
-		if (newcontext->type != tcontext->type) {
-			/* Use the process effective MLS attributes. */
-			return mls_context_cpy_low(newcontext, scontext);
-		} else {
-			/* Use the related object MLS attributes. */
-			return mls_context_cpy(newcontext, tcontext);
-		}
+		/* Use the process effective MLS attributes. */
+		return mls_context_cpy_low(newcontext, scontext);
 	default:
 		return -EINVAL;
 	}



-- 
Eamon Walsh <ewalsh@tycho.nsa.gov>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH] selinux: make mls_compute_sid always polyinstantiate

[Eamon Walsh]

This patch removes the requirement that the new and related object types 
differ in order to polyinstantiate by MLS level.  This allows MLS 
polyinstantiation to occur in the absence of explicit type_member rules 
or when the type has not changed.

Potential users of this support include pam_namespace.so (directory 
polyinstantiation) and the SELinux X support (property polyinstantiation).

Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
---

 mls.c |   11 ++---------
 1 file changed, 2 insertions(+), 9 deletions(-)


diff --git a/security/selinux/ss/mls.c b/security/selinux/ss/mls.c
index fb5d70a..3bbcb53 100644
--- a/security/selinux/ss/mls.c
+++ b/security/selinux/ss/mls.c
@@ -537,15 +537,8 @@ int mls_compute_sid(struct context *scontext,
 			/* Use the process effective MLS attributes. */
 			return mls_context_cpy_low(newcontext, scontext);
 	case AVTAB_MEMBER:
-		/* Only polyinstantiate the MLS attributes if
-		   the type is being polyinstantiated */
-		if (newcontext->type != tcontext->type) {
-			/* Use the process effective MLS attributes. */
-			return mls_context_cpy_low(newcontext, scontext);
-		} else {
-			/* Use the related object MLS attributes. */
-			return mls_context_cpy(newcontext, tcontext);
-		}
+		/* Use the process effective MLS attributes. */
+		return mls_context_cpy_low(newcontext, scontext);
 	default:
 		return -EINVAL;
 	}



-- 
Eamon Walsh <ewalsh@tycho.nsa.gov>
National Security Agency

Re: [PATCH] selinux: make mls_compute_sid always polyinstantiate

[Stephen Smalley]

On Thu, 2008-01-24 at 15:30 -0500, Eamon Walsh wrote:
> This patch removes the requirement that the new and related object types 
> differ in order to polyinstantiate by MLS level.  This allows MLS 
> polyinstantiation to occur in the absence of explicit type_member rules 
> or when the type has not changed.
> 
> Potential users of this support include pam_namespace.so (directory 
> polyinstantiation) and the SELinux X support (property polyinstantiation).
> 
> Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>

Acked-by:  Stephen Smalley <sds@tycho.nsa.gov>

> ---
> 
>  mls.c |   11 ++---------
>  1 file changed, 2 insertions(+), 9 deletions(-)

(nit:  use diffstat -p1 in the future)

> 
> diff --git a/security/selinux/ss/mls.c b/security/selinux/ss/mls.c
> index fb5d70a..3bbcb53 100644
> --- a/security/selinux/ss/mls.c
> +++ b/security/selinux/ss/mls.c
> @@ -537,15 +537,8 @@ int mls_compute_sid(struct context *scontext,
>  			/* Use the process effective MLS attributes. */
>  			return mls_context_cpy_low(newcontext, scontext);
>  	case AVTAB_MEMBER:
> -		/* Only polyinstantiate the MLS attributes if
> -		   the type is being polyinstantiated */
> -		if (newcontext->type != tcontext->type) {
> -			/* Use the process effective MLS attributes. */
> -			return mls_context_cpy_low(newcontext, scontext);
> -		} else {
> -			/* Use the related object MLS attributes. */
> -			return mls_context_cpy(newcontext, tcontext);
> -		}
> +		/* Use the process effective MLS attributes. */
> +		return mls_context_cpy_low(newcontext, scontext);
>  	default:
>  		return -EINVAL;
>  	}
> 
> 
> 
-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] selinux: make mls_compute_sid always polyinstantiate

[Stephen Smalley]

On Thu, 2008-01-24 at 15:30 -0500, Eamon Walsh wrote:
> This patch removes the requirement that the new and related object types 
> differ in order to polyinstantiate by MLS level.  This allows MLS 
> polyinstantiation to occur in the absence of explicit type_member rules 
> or when the type has not changed.
> 
> Potential users of this support include pam_namespace.so (directory 
> polyinstantiation) and the SELinux X support (property polyinstantiation).
> 
> Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>

Acked-by:  Stephen Smalley <sds@tycho.nsa.gov>

> ---
> 
>  mls.c |   11 ++---------
>  1 file changed, 2 insertions(+), 9 deletions(-)

(nit:  use diffstat -p1 in the future)

> 
> diff --git a/security/selinux/ss/mls.c b/security/selinux/ss/mls.c
> index fb5d70a..3bbcb53 100644
> --- a/security/selinux/ss/mls.c
> +++ b/security/selinux/ss/mls.c
> @@ -537,15 +537,8 @@ int mls_compute_sid(struct context *scontext,
>  			/* Use the process effective MLS attributes. */
>  			return mls_context_cpy_low(newcontext, scontext);
>  	case AVTAB_MEMBER:
> -		/* Only polyinstantiate the MLS attributes if
> -		   the type is being polyinstantiated */
> -		if (newcontext->type != tcontext->type) {
> -			/* Use the process effective MLS attributes. */
> -			return mls_context_cpy_low(newcontext, scontext);
> -		} else {
> -			/* Use the related object MLS attributes. */
> -			return mls_context_cpy(newcontext, tcontext);
> -		}
> +		/* Use the process effective MLS attributes. */
> +		return mls_context_cpy_low(newcontext, scontext);
>  	default:
>  		return -EINVAL;
>  	}
> 
> 
> 
-- 
Stephen Smalley
National Security Agency

Re: [PATCH] selinux: make mls_compute_sid always polyinstantiate

[Joshua Brindle]

Eamon Walsh wrote:
> This patch removes the requirement that the new and related object 
> types differ in order to polyinstantiate by MLS level.  This allows 
> MLS polyinstantiation to occur in the absence of explicit type_member 
> rules or when the type has not changed.
>
> Potential users of this support include pam_namespace.so (directory 
> polyinstantiation) and the SELinux X support (property 
> polyinstantiation).
>
> Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
> ---
>
> mls.c |   11 ++---------
> 1 file changed, 2 insertions(+), 9 deletions(-)
>
>
> diff --git a/security/selinux/ss/mls.c b/security/selinux/ss/mls.c
> index fb5d70a..3bbcb53 100644
> --- a/security/selinux/ss/mls.c
> +++ b/security/selinux/ss/mls.c
> @@ -537,15 +537,8 @@ int mls_compute_sid(struct context *scontext,
>             /* Use the process effective MLS attributes. */
>             return mls_context_cpy_low(newcontext, scontext);
>     case AVTAB_MEMBER:
> -        /* Only polyinstantiate the MLS attributes if
> -           the type is being polyinstantiated */
> -        if (newcontext->type != tcontext->type) {
> -            /* Use the process effective MLS attributes. */
> -            return mls_context_cpy_low(newcontext, scontext);
> -        } else {
> -            /* Use the related object MLS attributes. */
> -            return mls_context_cpy(newcontext, tcontext);
> -        }
> +        /* Use the process effective MLS attributes. */
> +        return mls_context_cpy_low(newcontext, scontext);
>     default:
>         return -EINVAL;
>     }

Should there be a patch to update mls.c in libsepol as well? I hope we 
are keeping the kss and uss in sync.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] selinux: make mls_compute_sid always polyinstantiate

[Joshua Brindle]

Eamon Walsh wrote:
> This patch removes the requirement that the new and related object 
> types differ in order to polyinstantiate by MLS level.  This allows 
> MLS polyinstantiation to occur in the absence of explicit type_member 
> rules or when the type has not changed.
>
> Potential users of this support include pam_namespace.so (directory 
> polyinstantiation) and the SELinux X support (property 
> polyinstantiation).
>
> Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
> ---
>
> mls.c |   11 ++---------
> 1 file changed, 2 insertions(+), 9 deletions(-)
>
>
> diff --git a/security/selinux/ss/mls.c b/security/selinux/ss/mls.c
> index fb5d70a..3bbcb53 100644
> --- a/security/selinux/ss/mls.c
> +++ b/security/selinux/ss/mls.c
> @@ -537,15 +537,8 @@ int mls_compute_sid(struct context *scontext,
>             /* Use the process effective MLS attributes. */
>             return mls_context_cpy_low(newcontext, scontext);
>     case AVTAB_MEMBER:
> -        /* Only polyinstantiate the MLS attributes if
> -           the type is being polyinstantiated */
> -        if (newcontext->type != tcontext->type) {
> -            /* Use the process effective MLS attributes. */
> -            return mls_context_cpy_low(newcontext, scontext);
> -        } else {
> -            /* Use the related object MLS attributes. */
> -            return mls_context_cpy(newcontext, tcontext);
> -        }
> +        /* Use the process effective MLS attributes. */
> +        return mls_context_cpy_low(newcontext, scontext);
>     default:
>         return -EINVAL;
>     }

Should there be a patch to update mls.c in libsepol as well? I hope we 
are keeping the kss and uss in sync.

Re: [PATCH] selinux: make mls_compute_sid always polyinstantiate

[Stephen Smalley]

On Thu, 2008-01-24 at 15:46 -0500, Joshua Brindle wrote:
> Eamon Walsh wrote:
> > This patch removes the requirement that the new and related object 
> > types differ in order to polyinstantiate by MLS level.  This allows 
> > MLS polyinstantiation to occur in the absence of explicit type_member 
> > rules or when the type has not changed.
> >
> > Potential users of this support include pam_namespace.so (directory 
> > polyinstantiation) and the SELinux X support (property 
> > polyinstantiation).
> >
> > Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
> > ---
> >
> > mls.c |   11 ++---------
> > 1 file changed, 2 insertions(+), 9 deletions(-)
> >
> >
> > diff --git a/security/selinux/ss/mls.c b/security/selinux/ss/mls.c
> > index fb5d70a..3bbcb53 100644
> > --- a/security/selinux/ss/mls.c
> > +++ b/security/selinux/ss/mls.c
> > @@ -537,15 +537,8 @@ int mls_compute_sid(struct context *scontext,
> >             /* Use the process effective MLS attributes. */
> >             return mls_context_cpy_low(newcontext, scontext);
> >     case AVTAB_MEMBER:
> > -        /* Only polyinstantiate the MLS attributes if
> > -           the type is being polyinstantiated */
> > -        if (newcontext->type != tcontext->type) {
> > -            /* Use the process effective MLS attributes. */
> > -            return mls_context_cpy_low(newcontext, scontext);
> > -        } else {
> > -            /* Use the related object MLS attributes. */
> > -            return mls_context_cpy(newcontext, tcontext);
> > -        }
> > +        /* Use the process effective MLS attributes. */
> > +        return mls_context_cpy_low(newcontext, scontext);
> >     default:
> >         return -EINVAL;
> >     }
> 
> Should there be a patch to update mls.c in libsepol as well? I hope we 
> are keeping the kss and uss in sync.

Yes, we should likely mirror the change there.

We aren't however keeping them in sync in general; there are certainly
any number of recent changes that have only gone into the kernel ss
(e.g. policy validation code, boolean preservation, handle unknown
support, new ebitmap implementation, object class and permission
discovery, etc).  And keeping them in sync is hard; most changes have to
be manually ported since the kernel ss is specialized for Linux and the
original contributor has to agree on porting the code to libsepol since
it has a different license (GPL vs. LGPL).

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] selinux: make mls_compute_sid always polyinstantiate

[Joshua Brindle]

Stephen Smalley wrote:
> On Thu, 2008-01-24 at 15:46 -0500, Joshua Brindle wrote:
>   
>> Eamon Walsh wrote:
>>     
>>> This patch removes the requirement that the new and related object 
>>> types differ in order to polyinstantiate by MLS level.  This allows 
>>> MLS polyinstantiation to occur in the absence of explicit type_member 
>>> rules or when the type has not changed.
>>>
>>> Potential users of this support include pam_namespace.so (directory 
>>> polyinstantiation) and the SELinux X support (property 
>>> polyinstantiation).
>>>
>>> Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
>>> ---
>>>
>>> mls.c |   11 ++---------
>>> 1 file changed, 2 insertions(+), 9 deletions(-)
>>>
>>>
>>> diff --git a/security/selinux/ss/mls.c b/security/selinux/ss/mls.c
>>> index fb5d70a..3bbcb53 100644
>>> --- a/security/selinux/ss/mls.c
>>> +++ b/security/selinux/ss/mls.c
>>> @@ -537,15 +537,8 @@ int mls_compute_sid(struct context *scontext,
>>>             /* Use the process effective MLS attributes. */
>>>             return mls_context_cpy_low(newcontext, scontext);
>>>     case AVTAB_MEMBER:
>>> -        /* Only polyinstantiate the MLS attributes if
>>> -           the type is being polyinstantiated */
>>> -        if (newcontext->type != tcontext->type) {
>>> -            /* Use the process effective MLS attributes. */
>>> -            return mls_context_cpy_low(newcontext, scontext);
>>> -        } else {
>>> -            /* Use the related object MLS attributes. */
>>> -            return mls_context_cpy(newcontext, tcontext);
>>> -        }
>>> +        /* Use the process effective MLS attributes. */
>>> +        return mls_context_cpy_low(newcontext, scontext);
>>>     default:
>>>         return -EINVAL;
>>>     }
>>>       
>> Should there be a patch to update mls.c in libsepol as well? I hope we 
>> are keeping the kss and uss in sync.
>>     
>
> Yes, we should likely mirror the change there.
>
> We aren't however keeping them in sync in general; there are certainly
> any number of recent changes that have only gone into the kernel ss
> (e.g. policy validation code, boolean preservation, handle unknown
> support, new ebitmap implementation, object class and permission
> discovery, etc).  And keeping them in sync is hard; most changes have to
> be manually ported since the kernel ss is specialized for Linux and the
> original contributor has to agree on porting the code to libsepol since
> it has a different license (GPL vs. LGPL).
>   

I'm not worried about mechanistic changes, only functionality so that we 
know the kss and the uss would give the same answer given the same 
policy and query. That is an interesting point about the license though, 
I hadn't thought of that.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] selinux: make mls_compute_sid always polyinstantiate

[James Morris]

On Thu, 24 Jan 2008, Eamon Walsh wrote:

> This patch removes the requirement that the new and related object types
> differ in order to polyinstantiate by MLS level.  This allows MLS
> polyinstantiation to occur in the absence of explicit type_member rules or
> when the type has not changed.
> 
> Potential users of this support include pam_namespace.so (directory
> polyinstantiation) and the SELinux X support (property polyinstantiation).
> 
> Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>

Applied to 
git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/selinux-2.6.git#for-akpm

-- 
James Morris
<jmorris@namei.org>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] selinux: make mls_compute_sid always polyinstantiate

[James Morris]

On Thu, 24 Jan 2008, Eamon Walsh wrote:

> This patch removes the requirement that the new and related object types
> differ in order to polyinstantiate by MLS level.  This allows MLS
> polyinstantiation to occur in the absence of explicit type_member rules or
> when the type has not changed.
> 
> Potential users of this support include pam_namespace.so (directory
> polyinstantiation) and the SELinux X support (property polyinstantiation).
> 
> Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>

Applied to 
git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/selinux-2.6.git#for-akpm

-- 
James Morris
<jmorris@namei.org>

Re: [PATCH] selinux: make mls_compute_sid always polyinstantiate

[Xavier Toth]

Is this in rawhide, if not when will it be?

On Thu, Jan 24, 2008 at 2:30 PM, Eamon Walsh <ewalsh@tycho.nsa.gov> wrote:
> This patch removes the requirement that the new and related object types
>  differ in order to polyinstantiate by MLS level.  This allows MLS
>  polyinstantiation to occur in the absence of explicit type_member rules
>  or when the type has not changed.
>
>  Potential users of this support include pam_namespace.so (directory
>  polyinstantiation) and the SELinux X support (property polyinstantiation).
>
>  Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
>  ---
>
>   mls.c |   11 ++---------
>   1 file changed, 2 insertions(+), 9 deletions(-)
>
>
>  diff --git a/security/selinux/ss/mls.c b/security/selinux/ss/mls.c
>  index fb5d70a..3bbcb53 100644
>  --- a/security/selinux/ss/mls.c
>  +++ b/security/selinux/ss/mls.c
>  @@ -537,15 +537,8 @@ int mls_compute_sid(struct context *scontext,
>                         /* Use the process effective MLS attributes. */
>                         return mls_context_cpy_low(newcontext, scontext);
>         case AVTAB_MEMBER:
>  -               /* Only polyinstantiate the MLS attributes if
>  -                  the type is being polyinstantiated */
>  -               if (newcontext->type != tcontext->type) {
>  -                       /* Use the process effective MLS attributes. */
>  -                       return mls_context_cpy_low(newcontext, scontext);
>  -               } else {
>  -                       /* Use the related object MLS attributes. */
>  -                       return mls_context_cpy(newcontext, tcontext);
>  -               }
>  +               /* Use the process effective MLS attributes. */
>  +               return mls_context_cpy_low(newcontext, scontext);
>         default:
>                 return -EINVAL;
>         }
>
>
>
>  --
>  Eamon Walsh <ewalsh@tycho.nsa.gov>
>  National Security Agency
>
>
>  --
>  This message was distributed to subscribers of the selinux mailing list.
>  If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
>  the words "unsubscribe selinux" without quotes as the message.
>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] selinux: make mls_compute_sid always polyinstantiate

[Xavier Toth]

Is this in rawhide, if not when will it be?

On Thu, Jan 24, 2008 at 2:30 PM, Eamon Walsh <ewalsh@tycho.nsa.gov> wrote:
> This patch removes the requirement that the new and related object types
>  differ in order to polyinstantiate by MLS level.  This allows MLS
>  polyinstantiation to occur in the absence of explicit type_member rules
>  or when the type has not changed.
>
>  Potential users of this support include pam_namespace.so (directory
>  polyinstantiation) and the SELinux X support (property polyinstantiation).
>
>  Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
>  ---
>
>   mls.c |   11 ++---------
>   1 file changed, 2 insertions(+), 9 deletions(-)
>
>
>  diff --git a/security/selinux/ss/mls.c b/security/selinux/ss/mls.c
>  index fb5d70a..3bbcb53 100644
>  --- a/security/selinux/ss/mls.c
>  +++ b/security/selinux/ss/mls.c
>  @@ -537,15 +537,8 @@ int mls_compute_sid(struct context *scontext,
>                         /* Use the process effective MLS attributes. */
>                         return mls_context_cpy_low(newcontext, scontext);
>         case AVTAB_MEMBER:
>  -               /* Only polyinstantiate the MLS attributes if
>  -                  the type is being polyinstantiated */
>  -               if (newcontext->type != tcontext->type) {
>  -                       /* Use the process effective MLS attributes. */
>  -                       return mls_context_cpy_low(newcontext, scontext);
>  -               } else {
>  -                       /* Use the related object MLS attributes. */
>  -                       return mls_context_cpy(newcontext, tcontext);
>  -               }
>  +               /* Use the process effective MLS attributes. */
>  +               return mls_context_cpy_low(newcontext, scontext);
>         default:
>                 return -EINVAL;
>         }
>
>
>
>  --
>  Eamon Walsh <ewalsh@tycho.nsa.gov>
>  National Security Agency
>
>
>  --
>  This message was distributed to subscribers of the selinux mailing list.
>  If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
>  the words "unsubscribe selinux" without quotes as the message.
>

Re: [PATCH] selinux: make mls_compute_sid always polyinstantiate

[Stephen Smalley]

On Tue, 2008-02-05 at 11:52 -0600, Xavier Toth wrote:
> Is this in rawhide, if not when will it be?

Not up to us, obviously.  The patch is in Linus' git tree, but looks
like latest fedora devel kernel is frozen on 2.6.24 + specific
individual patches, not feeding from Linus' git presently.  James could
possibly ask the Fedora kernel maintainer about adding it - it is small,
self-contained, and has no side effects on existing code (nothing prior
to XSELinux uses the compute member support; pam_namespace usage was
disabled since it didn't work right for multi-level dirs).

> 
> On Thu, Jan 24, 2008 at 2:30 PM, Eamon Walsh <ewalsh@tycho.nsa.gov> wrote:
> > This patch removes the requirement that the new and related object types
> >  differ in order to polyinstantiate by MLS level.  This allows MLS
> >  polyinstantiation to occur in the absence of explicit type_member rules
> >  or when the type has not changed.
> >
> >  Potential users of this support include pam_namespace.so (directory
> >  polyinstantiation) and the SELinux X support (property polyinstantiation).
> >
> >  Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
> >  ---
> >
> >   mls.c |   11 ++---------
> >   1 file changed, 2 insertions(+), 9 deletions(-)
> >
> >
> >  diff --git a/security/selinux/ss/mls.c b/security/selinux/ss/mls.c
> >  index fb5d70a..3bbcb53 100644
> >  --- a/security/selinux/ss/mls.c
> >  +++ b/security/selinux/ss/mls.c
> >  @@ -537,15 +537,8 @@ int mls_compute_sid(struct context *scontext,
> >                         /* Use the process effective MLS attributes. */
> >                         return mls_context_cpy_low(newcontext, scontext);
> >         case AVTAB_MEMBER:
> >  -               /* Only polyinstantiate the MLS attributes if
> >  -                  the type is being polyinstantiated */
> >  -               if (newcontext->type != tcontext->type) {
> >  -                       /* Use the process effective MLS attributes. */
> >  -                       return mls_context_cpy_low(newcontext, scontext);
> >  -               } else {
> >  -                       /* Use the related object MLS attributes. */
> >  -                       return mls_context_cpy(newcontext, tcontext);
> >  -               }
> >  +               /* Use the process effective MLS attributes. */
> >  +               return mls_context_cpy_low(newcontext, scontext);
> >         default:
> >                 return -EINVAL;
> >         }
> >
> >
> >
> >  --
> >  Eamon Walsh <ewalsh@tycho.nsa.gov>
> >  National Security Agency
> >
> >
> >  --
> >  This message was distributed to subscribers of the selinux mailing list.
> >  If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> >  the words "unsubscribe selinux" without quotes as the message.
> >
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] selinux: make mls_compute_sid always polyinstantiate

[James Morris]

On Tue, 5 Feb 2008, Stephen Smalley wrote:

> 
> On Tue, 2008-02-05 at 11:52 -0600, Xavier Toth wrote:
> > Is this in rawhide, if not when will it be?
> 
> Not up to us, obviously.  The patch is in Linus' git tree, but looks
> like latest fedora devel kernel is frozen on 2.6.24 + specific
> individual patches, not feeding from Linus' git presently.  James could
> possibly ask the Fedora kernel maintainer about adding it - it is small,
> self-contained, and has no side effects on existing code (nothing prior
> to XSELinux uses the compute member support; pam_namespace usage was
> disabled since it didn't work right for multi-level dirs).

The rawhide kernel usually tracks Linus pretty closely -- perhaps wait a 
couple of days until people recover from LCA.

> 
> > 
> > On Thu, Jan 24, 2008 at 2:30 PM, Eamon Walsh <ewalsh@tycho.nsa.gov> wrote:
> > > This patch removes the requirement that the new and related object types
> > >  differ in order to polyinstantiate by MLS level.  This allows MLS
> > >  polyinstantiation to occur in the absence of explicit type_member rules
> > >  or when the type has not changed.
> > >
> > >  Potential users of this support include pam_namespace.so (directory
> > >  polyinstantiation) and the SELinux X support (property polyinstantiation).
> > >
> > >  Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
> > >  ---
> > >
> > >   mls.c |   11 ++---------
> > >   1 file changed, 2 insertions(+), 9 deletions(-)
> > >
> > >
> > >  diff --git a/security/selinux/ss/mls.c b/security/selinux/ss/mls.c
> > >  index fb5d70a..3bbcb53 100644
> > >  --- a/security/selinux/ss/mls.c
> > >  +++ b/security/selinux/ss/mls.c
> > >  @@ -537,15 +537,8 @@ int mls_compute_sid(struct context *scontext,
> > >                         /* Use the process effective MLS attributes. */
> > >                         return mls_context_cpy_low(newcontext, scontext);
> > >         case AVTAB_MEMBER:
> > >  -               /* Only polyinstantiate the MLS attributes if
> > >  -                  the type is being polyinstantiated */
> > >  -               if (newcontext->type != tcontext->type) {
> > >  -                       /* Use the process effective MLS attributes. */
> > >  -                       return mls_context_cpy_low(newcontext, scontext);
> > >  -               } else {
> > >  -                       /* Use the related object MLS attributes. */
> > >  -                       return mls_context_cpy(newcontext, tcontext);
> > >  -               }
> > >  +               /* Use the process effective MLS attributes. */
> > >  +               return mls_context_cpy_low(newcontext, scontext);
> > >         default:
> > >                 return -EINVAL;
> > >         }
> > >
> > >
> > >
> > >  --
> > >  Eamon Walsh <ewalsh@tycho.nsa.gov>
> > >  National Security Agency
> > >
> > >
> > >  --
> > >  This message was distributed to subscribers of the selinux mailing list.
> > >  If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> > >  the words "unsubscribe selinux" without quotes as the message.
> > >
> > 
> > --
> > This message was distributed to subscribers of the selinux mailing list.
> > If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> > the words "unsubscribe selinux" without quotes as the message.
> 

-- 
James Morris
<jmorris@namei.org>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] selinux: make mls_compute_sid always polyinstantiate

[Stephen Smalley]

On Wed, 2008-02-06 at 09:35 +1100, James Morris wrote:
> On Tue, 5 Feb 2008, Stephen Smalley wrote:
> 
> > 
> > On Tue, 2008-02-05 at 11:52 -0600, Xavier Toth wrote:
> > > Is this in rawhide, if not when will it be?
> > 
> > Not up to us, obviously.  The patch is in Linus' git tree, but looks
> > like latest fedora devel kernel is frozen on 2.6.24 + specific
> > individual patches, not feeding from Linus' git presently.  James could
> > possibly ask the Fedora kernel maintainer about adding it - it is small,
> > self-contained, and has no side effects on existing code (nothing prior
> > to XSELinux uses the compute member support; pam_namespace usage was
> > disabled since it didn't work right for multi-level dirs).
> 
> The rawhide kernel usually tracks Linus pretty closely -- perhaps wait a 
> couple of days until people recover from LCA.

Looks like they froze it on 2.6.24 (kernel.spec has released_kernel 1,
gitrev 0 in Fedora devel CVS), and are only cherry picking individual
patches, like the /proc/net fix for SELinux.  Unless that was only for
the Fedora 9 Alpha release and they'll re-open the flood gates soon?

If they don't start pulling from git again soon, we should likely take
the specific patch to fedora kernel list.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] selinux: make mls_compute_sid always polyinstantiate

[Stephen Smalley]

On Wed, 2008-02-06 at 09:49 -0500, Stephen Smalley wrote:
> On Wed, 2008-02-06 at 09:35 +1100, James Morris wrote:
> > On Tue, 5 Feb 2008, Stephen Smalley wrote:
> > 
> > > 
> > > On Tue, 2008-02-05 at 11:52 -0600, Xavier Toth wrote:
> > > > Is this in rawhide, if not when will it be?
> > > 
> > > Not up to us, obviously.  The patch is in Linus' git tree, but looks
> > > like latest fedora devel kernel is frozen on 2.6.24 + specific
> > > individual patches, not feeding from Linus' git presently.  James could
> > > possibly ask the Fedora kernel maintainer about adding it - it is small,
> > > self-contained, and has no side effects on existing code (nothing prior
> > > to XSELinux uses the compute member support; pam_namespace usage was
> > > disabled since it didn't work right for multi-level dirs).
> > 
> > The rawhide kernel usually tracks Linus pretty closely -- perhaps wait a 
> > couple of days until people recover from LCA.
> 
> Looks like they froze it on 2.6.24 (kernel.spec has released_kernel 1,
> gitrev 0 in Fedora devel CVS), and are only cherry picking individual
> patches, like the /proc/net fix for SELinux.  Unless that was only for
> the Fedora 9 Alpha release and they'll re-open the flood gates soon?
> 
> If they don't start pulling from git again soon, we should likely take
> the specific patch to fedora kernel list.

Latest rawhide kernel pulled in 2.6.24.1-rc1, so they seem to be
stabilizing on 2.6.24.x rather than pulling from git again for Fedora 9.
Which means we'll have to get the patch added explicitly if we want it
in Fedora 9.  Likely requires posting of the patch to fedora kernel
list.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] selinux: make mls_compute_sid always polyinstantiate

[Eamon Walsh]

Stephen Smalley wrote:
> On Wed, 2008-02-06 at 09:49 -0500, Stephen Smalley wrote:
>   
>> On Wed, 2008-02-06 at 09:35 +1100, James Morris wrote:
>>     
>>> On Tue, 5 Feb 2008, Stephen Smalley wrote:
>>>
>>>       
>>>> On Tue, 2008-02-05 at 11:52 -0600, Xavier Toth wrote:
>>>>         
>>>>> Is this in rawhide, if not when will it be?
>>>>>           
>>>> Not up to us, obviously.  The patch is in Linus' git tree, but looks
>>>> like latest fedora devel kernel is frozen on 2.6.24 + specific
>>>> individual patches, not feeding from Linus' git presently.  James could
>>>> possibly ask the Fedora kernel maintainer about adding it - it is small,
>>>> self-contained, and has no side effects on existing code (nothing prior
>>>> to XSELinux uses the compute member support; pam_namespace usage was
>>>> disabled since it didn't work right for multi-level dirs).
>>>>         
>>> The rawhide kernel usually tracks Linus pretty closely -- perhaps wait a 
>>> couple of days until people recover from LCA.
>>>       
>> Looks like they froze it on 2.6.24 (kernel.spec has released_kernel 1,
>> gitrev 0 in Fedora devel CVS), and are only cherry picking individual
>> patches, like the /proc/net fix for SELinux.  Unless that was only for
>> the Fedora 9 Alpha release and they'll re-open the flood gates soon?
>>
>> If they don't start pulling from git again soon, we should likely take
>> the specific patch to fedora kernel list.
>>     
>
> Latest rawhide kernel pulled in 2.6.24.1-rc1, so they seem to be
> stabilizing on 2.6.24.x rather than pulling from git again for Fedora 9.
> Which means we'll have to get the patch added explicitly if we want it
> in Fedora 9.  Likely requires posting of the patch to fedora kernel
> list.
>   

Please do get this pulled in if you can.  Although, with the ongoing 
schedule slip in the X server, I'm wondering if Fedora 9 is even going 
to be able to ship a 1.4.1 point release, much less a 1.5 server that 
would include my stuff.

-- 
Eamon Walsh <ewalsh@tycho.nsa.gov>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.