From: Stephen Smalley <sds@tycho.nsa.gov>
To: Paul Moore <paul@paul-moore.com>
Cc: SE-Linux <selinux@tycho.nsa.gov>
Subject: Re: Changing unlabeled_t on files to invalid_label_t.
Date: Fri, 10 Jan 2014 11:13:35 -0500 [thread overview]
Message-ID: <52D01C2F.9060005@tycho.nsa.gov> (raw)
In-Reply-To: <52D00A39.5020100@tycho.nsa.gov>
On 01/10/2014 09:56 AM, Stephen Smalley wrote:
> On 01/10/2014 09:49 AM, Paul Moore wrote:
>> On Friday, January 10, 2014 09:42:42 AM Stephen Smalley wrote:
>>> On 01/09/2014 06:07 PM, Eric Paris wrote:
>>>> I believe we need a new initial sid. SECINITSID_INVALID_LABEL....
>>>
>>> Difficult (impossible?) to do in a fully backward compatible manner (to
>>> include the case of loading new policy on old kernel, whether initially
>>> or update/reload on an already running kernel with an older policy).
>>
>> Do we really need to worry about being able to load new policy into a old
>> kernel? In general I thought the backward compatible issue was that newer
>> kernels needed to support older userspace, not the other way around.
>
> Well, you'll at least need code in the kernel to handle the case where
> the policy does not define any new initial SIDs that you introduce in
> the policy, remapping them to e.g. unlabeled or something.
>
> And you likely want to ensure that people don't accidentally load new
> policy into old kernel and break things, whether by tying the new
> initial SIDS to a policy capability or policy version.
But reusing one of the dead initial SIDs might be easier - I think you
have done that previously for some of the networking ones. Currently
unused ones are:
sid file_labels u:object_r:unlabeled:s0
sid init u:object_r:unlabeled:s0
sid igmp_packet u:object_r:unlabeled:s0
sid icmp_socket u:object_r:unlabeled:s0
sid tcp_socket u:object_r:unlabeled:s0
sid sysctl_modprobe u:object_r:unlabeled:s0
sid sysctl_fs u:object_r:unlabeled:s0
sid sysctl_kernel u:object_r:unlabeled:s0
sid sysctl_net u:object_r:unlabeled:s0
sid sysctl_net_unix u:object_r:unlabeled:s0
sid sysctl_vm u:object_r:unlabeled:s0
sid sysctl_dev u:object_r:unlabeled:s0
sid kmod u:object_r:unlabeled:s0
sid policy u:object_r:unlabeled:s0
sid scmp_packet u:object_r:unlabeled:s0
Some of those were never used in any mainline kernel.
Others were used but ultimately removed.
next prev parent reply other threads:[~2014-01-10 16:13 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-01-09 21:53 Changing unlabeled_t on files to invalid_label_t Daniel J Walsh
2014-01-09 22:21 ` Dominick Grift
2014-01-09 22:49 ` Dominick Grift
2014-01-10 0:26 ` Paul Moore
2014-01-09 22:54 ` Paul Moore
2014-01-09 23:07 ` Eric Paris
2014-01-09 23:22 ` Dominick Grift
2014-01-10 0:23 ` Paul Moore
2014-01-10 11:52 ` Dominick Grift
2014-01-10 14:42 ` Paul Moore
2014-01-10 14:42 ` Stephen Smalley
2014-01-10 14:49 ` Paul Moore
2014-01-10 14:56 ` Stephen Smalley
2014-01-10 16:13 ` Stephen Smalley [this message]
2014-01-10 16:23 ` Paul Moore
2014-01-12 1:37 ` Russell Coker
2014-01-09 22:23 ` Ted Toth
2014-01-09 22:45 ` Paul Moore
2014-01-10 16:06 ` Stephen Smalley
2014-01-10 16:13 ` Daniel J Walsh
2014-01-10 16:14 ` Stephen Smalley
2014-01-13 20:07 ` Christopher J. PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=52D01C2F.9060005@tycho.nsa.gov \
--to=sds@tycho.nsa.gov \
--cc=paul@paul-moore.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.