diff for duplicates of <alpine.LFD.2.20.1710301859170.11614@localhost> diff --git a/a/1.txt b/N1/1.txt index aacb26e..fe01354 100644 --- a/a/1.txt +++ b/N1/1.txt @@ -43,28 +43,28 @@ A summary of the approach is as follows: Some examples: - [root at test]# cat /sys/fs/selinux/unshare + [root@test]# cat /sys/fs/selinux/unshare vm8 - [root at test]# touch testfile + [root@test]# touch testfile - [root at test]# ls -Z testfile + [root@test]# ls -Z testfile -rw-r--r--. root root unconfined_u:object_r:unlabeled_t:s0 testfile - [root at test]# getfattr -n security.selinux testfile + [root@test]# getfattr -n security.selinux testfile # file: testfile security.selinux="unconfined_u:object_r:unlabeled_t:s0" # restorecon -v testfile restorecon reset /root/selinux/testfile context unconfined_u:object_r:unlabeled_t:s0->unconfined_u:object_r:admin_home_t:s0 - [root at test]# getfattr -n security.selinux testfile + [root@test]# getfattr -n security.selinux testfile # file: testfile security.selinux="unconfined_u:object_r:admin_home_t:s0" - [root at test]# chcon -t etc_t testfile + [root@test]# chcon -t etc_t testfile - [root at test]# getfattr -n security.selinux testfile + [root@test]# getfattr -n security.selinux testfile # file: testfile security.selinux="unconfined_u:object_r:etc_t:s0" @@ -72,13 +72,13 @@ Some examples: Ok, so this all looks pretty normal, but what's happening on disk is not. >From the init namespace, I'll access the same file: - [root at test]# cat /sys/fs/selinux/unshare + [root@test]# cat /sys/fs/selinux/unshare init - [root at test]# ls -Z testfile + [root@test]# ls -Z testfile -rw-r--r--. root root system_u:object_r:unlabeled_t:s0 testfile - [root at test]# getfattr -n security.selinux testfile + [root@test]# getfattr -n security.selinux testfile # file: testfile security.selinux="system_u:object_r:unlabeled_t:s0" @@ -87,7 +87,7 @@ created in a different namespace and only initialized there. What you're seeing here is the default unlabeled label. Dumping out the xattrs shows what's on disk: - [root at test]# getfattr -d -m . testfile + [root@test]# getfattr -d -m . testfile # file: testfile security.selinux.ns.vm8="unconfined_u:object_r:etc_t:s0" @@ -97,23 +97,23 @@ that namespace. Let's give it a proper label for the init ns: # restorecon -v testfile restorecon reset /root/selinux/testfile context system_u:object_r:unlabeled_t:s0->system_u:object_r:admin_home_t:s0 - [root at test]# getfattr -d -m . testfile + [root@test]# getfattr -d -m . testfile # file: testfile security.selinux="system_u:object_r:admin_home_t:s0" security.selinux.ns.vm8="unconfined_u:object_r:etc_t:s0" - [root at test]# ls -Z testfile + [root@test]# ls -Z testfile -rw-r--r--. root root system_u:object_r:admin_home_t:s0 testfile And if you go into the vm8 namespace you'll see the label there is: - [root at test]# echo vm8 > /sys/fs/selinux/unshare - [root at test]# unshare -m -n - [root at test]# umount /sys/fs/selinux && mount -t selinuxfs none /sys/fs/selinux && load_policy - [root at test]# runcon unconfined_u:unconfined_r:unconfined_t:s0:c0.c1023 /bin/bash - [root at test]# setenforce 1 + [root@test]# echo vm8 > /sys/fs/selinux/unshare + [root@test]# unshare -m -n + [root@test]# umount /sys/fs/selinux && mount -t selinuxfs none /sys/fs/selinux && load_policy + [root@test]# runcon unconfined_u:unconfined_r:unconfined_t:s0:c0.c1023 /bin/bash + [root@test]# setenforce 1 - [root at test]# ls -Z testfile + [root@test]# ls -Z testfile -rw-r--r--. root root unconfined_u:object_r:etc_t:s0 testfile @@ -672,8 +672,3 @@ index 319add3..5ea841f 100644 static int smack_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) -- 1.8.3.1 - --- -To unsubscribe from this list: send the line "unsubscribe linux-security-module" in -the body of a message to majordomo at vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/a/content_digest b/N1/content_digest index 3b385cf..861b858 100644 --- a/a/content_digest +++ b/N1/content_digest @@ -1,7 +1,10 @@ - "From\0james.l.morris@oracle.com (James Morris)\0" + "From\0James Morris <james.l.morris@oracle.com>\0" "Subject\0[RFC v0.1][PATCH] selinuxns: extend namespace support to security.selinux xattrs\0" "Date\0Mon, 30 Oct 2017 21:04:20 +1100 (AEDT)\0" - "To\0linux-security-module@vger.kernel.org\0" + "To\0Stephen Smalley <sds@tycho.nsa.gov>" + " selinux@tycho.nsa.gov\0" + "Cc\0linux-security-module@vger.kernel.org" + " Paul Moore <paul@paul-moore.com>\0" "\00:1\0" "b\0" "This is a proof-of-concept patch to demonstrate an approach to supporting \n" @@ -49,28 +52,28 @@ "\n" "Some examples:\n" "\n" - " [root at test]# cat /sys/fs/selinux/unshare \n" + " [root@test]# cat /sys/fs/selinux/unshare \n" " vm8\n" "\n" - " [root at test]# touch testfile\n" + " [root@test]# touch testfile\n" "\n" - " [root at test]# ls -Z testfile \n" + " [root@test]# ls -Z testfile \n" " -rw-r--r--. root root unconfined_u:object_r:unlabeled_t:s0 testfile\n" "\n" - " [root at test]# getfattr -n security.selinux testfile \n" + " [root@test]# getfattr -n security.selinux testfile \n" " # file: testfile\n" " security.selinux=\"unconfined_u:object_r:unlabeled_t:s0\"\n" "\n" " # restorecon -v testfile \n" " restorecon reset /root/selinux/testfile context unconfined_u:object_r:unlabeled_t:s0->unconfined_u:object_r:admin_home_t:s0\n" "\n" - " [root at test]# getfattr -n security.selinux testfile \n" + " [root@test]# getfattr -n security.selinux testfile \n" " # file: testfile\n" " security.selinux=\"unconfined_u:object_r:admin_home_t:s0\"\n" "\n" - " [root at test]# chcon -t etc_t testfile \n" + " [root@test]# chcon -t etc_t testfile \n" "\n" - " [root at test]# getfattr -n security.selinux testfile \n" + " [root@test]# getfattr -n security.selinux testfile \n" " # file: testfile\n" " security.selinux=\"unconfined_u:object_r:etc_t:s0\"\n" "\n" @@ -78,13 +81,13 @@ "Ok, so this all looks pretty normal, but what's happening on disk is not. \n" ">From the init namespace, I'll access the same file:\n" "\n" - " [root at test]# cat /sys/fs/selinux/unshare \n" + " [root@test]# cat /sys/fs/selinux/unshare \n" " init\n" "\n" - " [root at test]# ls -Z testfile \n" + " [root@test]# ls -Z testfile \n" " -rw-r--r--. root root system_u:object_r:unlabeled_t:s0 testfile\n" "\n" - " [root at test]# getfattr -n security.selinux testfile \n" + " [root@test]# getfattr -n security.selinux testfile \n" " # file: testfile\n" " security.selinux=\"system_u:object_r:unlabeled_t:s0\"\n" "\n" @@ -93,7 +96,7 @@ "seeing here is the default unlabeled label. Dumping out the xattrs shows \n" "what's on disk:\n" "\n" - " [root at test]# getfattr -d -m . testfile \n" + " [root@test]# getfattr -d -m . testfile \n" " # file: testfile\n" " security.selinux.ns.vm8=\"unconfined_u:object_r:etc_t:s0\"\n" "\n" @@ -103,23 +106,23 @@ " # restorecon -v testfile \n" " restorecon reset /root/selinux/testfile context system_u:object_r:unlabeled_t:s0->system_u:object_r:admin_home_t:s0\n" "\n" - " [root at test]# getfattr -d -m . testfile \n" + " [root@test]# getfattr -d -m . testfile \n" " # file: testfile\n" " security.selinux=\"system_u:object_r:admin_home_t:s0\"\n" " security.selinux.ns.vm8=\"unconfined_u:object_r:etc_t:s0\"\n" "\n" - " [root at test]# ls -Z testfile \n" + " [root@test]# ls -Z testfile \n" " -rw-r--r--. root root system_u:object_r:admin_home_t:s0 testfile\n" "\n" "And if you go into the vm8 namespace you'll see the label there is:\n" "\n" - " [root at test]# echo vm8 > /sys/fs/selinux/unshare \n" - " [root at test]# unshare -m -n\n" - " [root at test]# umount /sys/fs/selinux && mount -t selinuxfs none /sys/fs/selinux && load_policy\n" - " [root at test]# runcon unconfined_u:unconfined_r:unconfined_t:s0:c0.c1023 /bin/bash\n" - " [root at test]# setenforce 1\n" + " [root@test]# echo vm8 > /sys/fs/selinux/unshare \n" + " [root@test]# unshare -m -n\n" + " [root@test]# umount /sys/fs/selinux && mount -t selinuxfs none /sys/fs/selinux && load_policy\n" + " [root@test]# runcon unconfined_u:unconfined_r:unconfined_t:s0:c0.c1023 /bin/bash\n" + " [root@test]# setenforce 1\n" "\n" - " [root at test]# ls -Z testfile \n" + " [root@test]# ls -Z testfile \n" " -rw-r--r--. root root unconfined_u:object_r:etc_t:s0 testfile\n" "\n" "\n" @@ -677,11 +680,6 @@ " \n" " static int smack_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)\n" "-- \n" - "1.8.3.1\n" - "\n" - "--\n" - "To unsubscribe from this list: send the line \"unsubscribe linux-security-module\" in\n" - "the body of a message to majordomo at vger.kernel.org\n" - More majordomo info at http://vger.kernel.org/majordomo-info.html + 1.8.3.1 -0efa44d06ce432eb6300700cb9c91b800ea70bf5a3986ff58d1b317990411b70 +ce6c8f2515c5fb6b20a29c269a2ed89c407d16fb0cf85141b25aae1391459f14
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.