From: paul@paul-moore.com (Paul Moore)
To: linux-security-module@vger.kernel.org
Subject: [PATCH] selinux: Assign proper class to PF_UNIX/SOCK_RAW sockets
Date: Wed, 21 Jun 2017 15:04:01 -0400 [thread overview]
Message-ID: <CAHC9VhQMFw9BAimnnwM9Zv1Vp28Edm7FSdFCiOEpXUX4go8gWQ@mail.gmail.com> (raw)
In-Reply-To: <20170621114812.6aa3f62e@vega.skynet.aixah.de>
On Wed, Jun 21, 2017 at 5:48 AM, Luis Ressel <aranea@aixah.de> wrote:
> On Tue, 20 Jun 2017 17:43:38 -0400
> Paul Moore <paul@paul-moore.com> wrote:
>
>> Considering where we are at with respect to the merge window, let's
>> shelve this for now and I'll merge it after the next merge window
>> closes. In all likelihood I'll be sending selinux/next up to James
>> later this week and I'd like this to sit in linux-next for longer than
>> a few days.
>
> That means the change will land in 4.14 at the earliest, right? (Just
> out of curiosity.)
That's correct. We are currently working towards a v4.12 release in
Linus' tree, the upcoming merge window will be for v4.13, and things
merged into selinux/next after that merge window will be for v4.14.
> By the way, refpolicy only grants "socket" permissions to a handful of
> domains, all of which also have the corresponding "unix_dgram_socket"
> permissions. The fedora policy does the same (according to Stephen);
> this only leaves custom policies to be potentially affected by this
> change.
While custom policies are definitely in the minority, we still need to
do out best not to break them without warning.
> Given that the SOCK_RAW->SOCK_DGRAM translation is obscure enough not to
> be documented anywhere outside the kernel sources, I doubt there are
> many users of it, anyway.
You very well may be right, I just felt that such a change requires
more than a week in the selinux/next tree.
Thank you for your patch, it's in the queue and I'll be merging it
into the selinux/next branch in a few weeks.
--
paul moore
www.paul-moore.com
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2017-06-21 19:04 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-06-19 21:33 [PATCH] selinux: Assign proper class to PF_UNIX/SOCK_RAW sockets Luis Ressel
2017-06-20 19:49 ` Paul Moore
2017-06-20 20:04 ` Stephen Smalley
2017-06-20 21:43 ` Paul Moore
2017-06-21 9:48 ` Luis Ressel
2017-06-21 19:04 ` Paul Moore [this message]
2017-07-10 22:25 ` Paul Moore
-- strict thread matches above, loose matches on Subject: below --
2017-06-18 21:45 Luis Ressel
2017-06-19 20:10 ` Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAHC9VhQMFw9BAimnnwM9Zv1Vp28Edm7FSdFCiOEpXUX4go8gWQ@mail.gmail.com \
--to=paul@paul-moore.com \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).