[Ocfs2-devel] [PATCH v3 0/7] Inode security label invalidation

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Stephen Smalley <sds@tycho.nsa.gov>
To: Andreas Gruenbacher <agruenba@redhat.com>,
	linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov,
	ocfs2-devel@oss.oracle.com
Subject: [Ocfs2-devel] [PATCH v3 0/7] Inode security label invalidation
Date: Tue, 27 Oct 2015 08:32:39 -0400	[thread overview]
Message-ID: <562F6EE7.2090601@tycho.nsa.gov> (raw)
In-Reply-To: <1445894128-6765-1-git-send-email-agruenba@redhat.com>

On 10/26/2015 05:15 PM, Andreas Gruenbacher wrote:
> Here is another version of the patch queue to make gfs2 and similar file
> systems work with SELinux.  As suggested by Stephen Smalley [*], the relevant
> uses of inode->security are wrapped in function calls that try to revalidate
> invalid labels.
>
>    [*] http://marc.info/?l=linux-kernel&m=144416710207686&w=2
>
> The patches are looking good from my point of view; is there anything else that
> needs addressing?
>
> Does SELinux have test suites that these patches could be tested agains?

git clone https://github.com/SELinuxProject/selinux-testsuite
sudo yum install perl-Test perl-Test-Harness selinux-policy-devel gcc 
libselinux-devel net-tools netlabel_tools iptables
cd selinux-testsuite
sudo make test

>
> Thanks,
> Andreas
>
> Andreas Gruenbacher (7):
>    selinux: Remove unused variable in selinux_inode_init_security
>    selinux: Add accessor functions for inode->i_security
>    selinux: Get rid of file_path_has_perm
>    selinux: Push dentry down from {dentry,path,file}_has_perm
>    security: Add hook to invalidate inode security labels
>    selinux: Revalidate invalid inode security labels
>    gfs2: Invalide security labels of inodes when they go invalid
>
>   fs/gfs2/glops.c                   |   2 +
>   include/linux/lsm_hooks.h         |   6 ++
>   include/linux/security.h          |   5 +
>   security/security.c               |   8 ++
>   security/selinux/hooks.c          | 213 ++++++++++++++++++++++----------------
>   security/selinux/include/objsec.h |   6 ++
>   6 files changed, 152 insertions(+), 88 deletions(-)
>

WARNING: multiple messages have this Message-ID (diff)

From: Stephen Smalley <sds@tycho.nsa.gov>
To: Andreas Gruenbacher <agruenba@redhat.com>,
	linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov,
	ocfs2-devel@oss.oracle.com
Subject: Re: [PATCH v3 0/7] Inode security label invalidation
Date: Tue, 27 Oct 2015 08:32:39 -0400	[thread overview]
Message-ID: <562F6EE7.2090601@tycho.nsa.gov> (raw)
In-Reply-To: <1445894128-6765-1-git-send-email-agruenba@redhat.com>

On 10/26/2015 05:15 PM, Andreas Gruenbacher wrote:
> Here is another version of the patch queue to make gfs2 and similar file
> systems work with SELinux.  As suggested by Stephen Smalley [*], the relevant
> uses of inode->security are wrapped in function calls that try to revalidate
> invalid labels.
>
>    [*] http://marc.info/?l=linux-kernel&m=144416710207686&w=2
>
> The patches are looking good from my point of view; is there anything else that
> needs addressing?
>
> Does SELinux have test suites that these patches could be tested agains?

git clone https://github.com/SELinuxProject/selinux-testsuite
sudo yum install perl-Test perl-Test-Harness selinux-policy-devel gcc 
libselinux-devel net-tools netlabel_tools iptables
cd selinux-testsuite
sudo make test

>
> Thanks,
> Andreas
>
> Andreas Gruenbacher (7):
>    selinux: Remove unused variable in selinux_inode_init_security
>    selinux: Add accessor functions for inode->i_security
>    selinux: Get rid of file_path_has_perm
>    selinux: Push dentry down from {dentry,path,file}_has_perm
>    security: Add hook to invalidate inode security labels
>    selinux: Revalidate invalid inode security labels
>    gfs2: Invalide security labels of inodes when they go invalid
>
>   fs/gfs2/glops.c                   |   2 +
>   include/linux/lsm_hooks.h         |   6 ++
>   include/linux/security.h          |   5 +
>   security/security.c               |   8 ++
>   security/selinux/hooks.c          | 213 ++++++++++++++++++++++----------------
>   security/selinux/include/objsec.h |   6 ++
>   6 files changed, 152 insertions(+), 88 deletions(-)
>

next prev parent reply	other threads:[~2015-10-27 12:32 UTC|newest]

Thread overview: 30+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-10-26 21:15 [PATCH v3 0/7] Inode security label invalidation Andreas Gruenbacher
2015-10-26 21:15 ` [PATCH v3 1/7] selinux: Remove unused variable in selinux_inode_init_security Andreas Gruenbacher
2015-10-27 13:11   ` [Ocfs2-devel] " Stephen Smalley
2015-10-27 13:11     ` Stephen Smalley
2015-10-26 21:15 ` [PATCH v3 2/7] selinux: Add accessor functions for inode->i_security Andreas Gruenbacher
2015-10-27 17:20   ` [Ocfs2-devel] " Stephen Smalley
2015-10-27 17:20     ` Stephen Smalley
2015-10-28 13:36     ` Andreas Gruenbacher
2015-10-26 21:15 ` [PATCH v3 3/7] selinux: Get rid of file_path_has_perm Andreas Gruenbacher
2015-10-27 16:40   ` [Ocfs2-devel] " Stephen Smalley
2015-10-27 16:40     ` Stephen Smalley
2015-10-28 11:48     ` Andreas Gruenbacher
2015-10-28 17:31       ` [Ocfs2-devel] " Stephen Smalley
2015-10-28 17:31         ` Stephen Smalley
2015-10-28 18:56         ` [Ocfs2-devel] " Stephen Smalley
2015-10-28 18:56           ` Stephen Smalley
2015-10-29  0:22           ` Andreas Gruenbacher
2015-10-26 21:15 ` [PATCH v3 4/7] selinux: Push dentry down from {dentry, path, file}_has_perm Andreas Gruenbacher
2015-10-26 21:15 ` [PATCH v3 5/7] security: Add hook to invalidate inode security labels Andreas Gruenbacher
2015-10-28  6:08   ` [Ocfs2-devel] " James Morris
2015-10-28  6:08     ` James Morris
2015-10-28  6:09   ` [Ocfs2-devel] " James Morris
2015-10-28  6:09     ` James Morris
2015-10-26 21:15 ` [PATCH v3 6/7] selinux: Revalidate invalid " Andreas Gruenbacher
2015-10-26 21:15 ` [Cluster-devel] [PATCH v3 7/7] gfs2: Invalide security labels of inodes when they go invalid Andreas Gruenbacher
2015-10-26 21:15   ` Andreas Gruenbacher
2015-10-27 12:32 ` Stephen Smalley [this message]
2015-10-27 12:32   ` [PATCH v3 0/7] Inode security label invalidation Stephen Smalley
2015-10-28 21:12 ` Paul Moore
2015-10-28 21:30   ` Andreas Gruenbacher

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=562F6EE7.2090601@tycho.nsa.gov \
    --to=sds@tycho.nsa.gov \
    --cc=agruenba@redhat.com \
    --cc=linux-security-module@vger.kernel.org \
    --cc=ocfs2-devel@oss.oracle.com \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.