public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed
From: Michal Piotrowski <michal.k.k.piotrowski@gmail.com>
To: Paul Moore <paul.moore@hp.com>
Cc: jmorris@namei.org, michal.k.k.piotrowski@gmail.com,
	torvalds@linux-foundation.org, linux-kernel@vger.kernel.org,
	sds@tycho.nsa.gov
Subject: The art of breaking userspace (was Re: [GIT] SELinux changes for 2.6.23 (updated))
Date: Fri, 13 Jul 2007 21:08:37 +0200	[thread overview]
Message-ID: <4697CDB5.1060708@googlemail.com> (raw)
In-Reply-To: <3267153665.17485311@mail.hp.com>

Paul Moore pisze:
[..]
> On Fri, 13 Jul 2007, Michal Piotrowski wrote:
>> My system is too secure, I can not login :)
>>
>> Do you have CONFIG_NETLABEL=y ?
>>
>> If so, please try disabling it.
> 
> Disabling NetLabel should solve the problem.

Disabling NetLabel solves the problem.

>  The recommended solution to this problem, as discussed on the SELinux list and mentioned in the patch description, is to upgrade your SELinux policy to the latest Reference Policy sources.  For those with custom SELinux policy, the patch description explains the changes to the SELinux policy required. 

I'm sorry to say this, but this kind of patches should not be accepted.

Patch

commit 9faf65fb6ee2b4e08325ba2d69e5ccf0c46453d0
Author: Paul Moore <paul.moore@hp.com>
Date:   Fri Jun 29 11:48:16 2007 -0400

    SELinux: use SECINITSID_NETMSG instead of SECINITSID_UNLABELED for NetLabel

    These changes will make NetLabel behave like labeled IPsec where there is an
    access check for both labeled and unlabeled packets as well as providing the
    ability to restrict domains to receiving only labeled packets when NetLabel
    is in use.  The changes to the policy are straight forward with the
    following necessary to receive labeled traffic (with SECINITSID_NETMSG
    defined as "netlabel_peer_t"):

     allow mydom_t netlabel_peer_t:{ tcp_socket udp_socket rawip_socket } recvfrom;

    The policy for unlabeled traffic would be:

     allow mydom_t unlabeled_t:{ tcp_socket udp_socket rawip_socket } recvfrom;

    These policy changes, as well as more general NetLabel support, are included
    in the SELinux Reference Policy SVN tree, r2352 or later.  Users who enable
    NetLabel support in the kernel are strongly encouraged to upgrade their
    policy to avoid network problems.

    Signed-off-by: Paul Moore <paul.moore@hp.com>
    Signed-off-by: James Morris <jmorris@namei.org>


breaks systems with recent selinux policy.

(rpm -qa selinux-policy-*
selinux-policy-devel-2.6.4-25.fc7
selinux-policy-targeted-2.6.4-25.fc7)

I will add this as a regression unless Linus says "Fsck it! We don't care about compatibility"

> 
> If needed I can post more instructions later, let me know, but right now I'm tapping this out on my phone while at the airport.
> 
> . paul moore
> . linux security @ hp
> 
> 
> 

Regards,
Michal

-- 
LOG
http://www.stardust.webpages.pl/log/

  reply	other threads:[~2007-07-13 19:09 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-07-13 10:41 [GIT] SELinux changes for 2.6.23 (updated) Paul Moore
2007-07-13 19:08 ` Michal Piotrowski [this message]
2007-07-13 19:29   ` The art of breaking userspace (was Re: [GIT] SELinux changes for 2.6.23 (updated)) Stephen Smalley
2007-07-14  3:20     ` Paul Moore
  -- strict thread matches above, loose matches on Subject: below --
2007-07-13 19:39 Paul Moore

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4697CDB5.1060708@googlemail.com \
    --to=michal.k.k.piotrowski@gmail.com \
    --cc=jmorris@namei.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=paul.moore@hp.com \
    --cc=sds@tycho.nsa.gov \
    --cc=torvalds@linux-foundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox