From: Casey Schaufler <casey@schaufler-ca.com>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: LSM <linux-security-module@vger.kernel.org>,
SE Linux <selinux@tycho.nsa.gov>, Eric Paris <eparis@redhat.com>,
Casey Schaufler <casey@schaufler-ca.com>
Subject: Re: [PATCH 5/5] LSM: SELinux changes to allow LSM stacking
Date: Thu, 06 Sep 2012 08:17:10 -0700 [thread overview]
Message-ID: <5048BE76.3000202@schaufler-ca.com> (raw)
In-Reply-To: <1346936932.19997.21.camel@moss-pluto.epoch.ncsc.mil>
On 9/6/2012 6:08 AM, Stephen Smalley wrote:
> On Wed, 2012-09-05 at 10:38 -0400, Stephen Smalley wrote:
>> On Tue, 2012-09-04 at 19:09 -0700, Casey Schaufler wrote:
>>> Subject: LSM: SELinux changes to allow LSM stacking
>>>
>>> Change security blob accesses to use the lsm_get/lsm_set
>>> interfaces. This requires removal of the cred pointer
>>> poisoning in selinux_cred_free.
>>>
>>> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
>> FWIW, passes the selinux-testsuite with SELinux and Yama enabled.
> However, setting SELINUX=disabled in /etc/selinux/config and rebooting
> with this kernel yields a kernel panic during reset_security_ops(),
> called by selinux_disable().
>
reset_security_ops is only used by SELinux. There are a number of ways
to repair this. The important question is whether a general solution is
required or if it can be left SELinux specific. If it is a general
interface, does it clear all the LSMs or just the LSM calling it?
I would suggest that leaving it to SELinux is the best choice, and
clearing the calling LSM only the next best choice.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
prev parent reply other threads:[~2012-09-06 15:17 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-09-05 2:09 [PATCH 5/5] LSM: SELinux changes to allow LSM stacking Casey Schaufler
2012-09-05 14:38 ` Stephen Smalley
2012-09-05 15:35 ` Casey Schaufler
2012-09-06 13:08 ` Stephen Smalley
2012-09-06 15:17 ` Casey Schaufler [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5048BE76.3000202@schaufler-ca.com \
--to=casey@schaufler-ca.com \
--cc=eparis@redhat.com \
--cc=linux-security-module@vger.kernel.org \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.