[PATCH 0/2] SELinux Netlabel updates

[PATCH 0/2] SELinux Netlabel updates

[James Morris]

Hi Linus,

These are updated Netlabel/SELinux changes from Paul, reworked so that 
they don't break userspace.  Michal says they work for him.  Please apply 
for 2.6.23.



The following changes since commit 489de30259e667d7bc47da9da44a0270b050cd97:
  Linus Torvalds (1):
        Merge branch 'merge' of git://git.kernel.org/.../paulus/powerpc

are found in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/selinux-2.6.git#for-linus

Paul Moore (2):
      SELinux: enable dynamic activation/deactivation of NetLabel/SELinux enforcement
      SELinux: use SECINITSID_NETMSG instead of SECINITSID_UNLABELED for NetLabel

 include/net/netlabel.h           |    6 +++
 net/netlabel/netlabel_cipso_v4.c |    5 +++
 net/netlabel/netlabel_kapi.c     |   21 ++++++++++++
 net/netlabel/netlabel_mgmt.c     |   65 ++++++++++++++++++++++++++++++++++++++
 net/netlabel/netlabel_mgmt.h     |    5 +++
 security/selinux/hooks.c         |   21 ++++++------
 security/selinux/netlabel.c      |   49 ++++++++++++++++------------
 7 files changed, 141 insertions(+), 31 deletions(-)

-- 
James Morris
<jmorris@namei.org>

[PATCH 1/2] SELinux: enable dynamic activation/deactivation of NetLabel/SELinux enforcement

[James Morris]

From: Paul Moore <paul.moore@hp.com>

Create a new NetLabel KAPI interface, netlbl_enabled(), which reports on 
the current runtime status of NetLabel based on the existing 
configuration.  LSMs that make use of NetLabel, i.e. SELinux, can use this 
new function to determine if they should perform NetLabel access checks.  
This patch changes the NetLabel/SELinux glue code such that SELinux only 
enforces NetLabel related access checks when netlbl_enabled() returns 
true.

At present NetLabel is considered to be enabled when there is at least one 
labeled protocol configuration present.  The result is that by default 
NetLabel is considered to be disabled, however, as soon as an 
administrator configured a CIPSO DOI definition NetLabel is enabled and 
SELinux starts enforcing NetLabel related access controls - including 
unlabeled packet controls.

This patch should resolve the issue reported by Michal Piotrowski here:

 * http://lkml.org/lkml/2007/7/12/362

Signed-off-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: James Morris <jmorris@namei.org>
---
 include/net/netlabel.h           |    6 +++
 net/netlabel/netlabel_cipso_v4.c |    5 +++
 net/netlabel/netlabel_kapi.c     |   21 ++++++++++++
 net/netlabel/netlabel_mgmt.c     |   65 ++++++++++++++++++++++++++++++++++++++
 net/netlabel/netlabel_mgmt.h     |    5 +++
 security/selinux/netlabel.c      |    8 +++++
 6 files changed, 110 insertions(+), 0 deletions(-)

diff --git a/include/net/netlabel.h b/include/net/netlabel.h
index 9b7d6f2..5d2bcad 100644
--- a/include/net/netlabel.h
+++ b/include/net/netlabel.h
@@ -332,6 +332,7 @@ static inline int netlbl_secattr_catmap_setrng(
  */
 
 #ifdef CONFIG_NETLABEL
+int netlbl_enabled(void);
 int netlbl_sock_setattr(struct sock *sk,
 			const struct netlbl_lsm_secattr *secattr);
 int netlbl_sock_getattr(struct sock *sk,
@@ -340,6 +341,11 @@ int netlbl_skbuff_getattr(const struct sk_buff *skb,
 			  struct netlbl_lsm_secattr *secattr);
 void netlbl_skbuff_err(struct sk_buff *skb, int error);
 #else
+int netlbl_enabled(void)
+{
+	return 0;
+}
+
 static inline int netlbl_sock_setattr(struct sock *sk,
 				     const struct netlbl_lsm_secattr *secattr)
 {
diff --git a/net/netlabel/netlabel_cipso_v4.c b/net/netlabel/netlabel_cipso_v4.c
index 24b660f..c060e3f 100644
--- a/net/netlabel/netlabel_cipso_v4.c
+++ b/net/netlabel/netlabel_cipso_v4.c
@@ -41,6 +41,7 @@
 
 #include "netlabel_user.h"
 #include "netlabel_cipso_v4.h"
+#include "netlabel_mgmt.h"
 
 /* Argument struct for cipso_v4_doi_walk() */
 struct netlbl_cipsov4_doiwalk_arg {
@@ -419,6 +420,8 @@ static int netlbl_cipsov4_add(struct sk_buff *skb, struct genl_info *info)
 		ret_val = netlbl_cipsov4_add_pass(info);
 		break;
 	}
+	if (ret_val == 0)
+		netlbl_mgmt_protocount_inc();
 
 	audit_buf = netlbl_audit_start_common(AUDIT_MAC_CIPSOV4_ADD,
 					      &audit_info);
@@ -694,6 +697,8 @@ static int netlbl_cipsov4_remove(struct sk_buff *skb, struct genl_info *info)
 	ret_val = cipso_v4_doi_remove(doi,
 				      &audit_info,
 				      netlbl_cipsov4_doi_free);
+	if (ret_val == 0)
+		netlbl_mgmt_protocount_dec();
 
 	audit_buf = netlbl_audit_start_common(AUDIT_MAC_CIPSOV4_DEL,
 					      &audit_info);
diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c
index b165712..50195e2 100644
--- a/net/netlabel/netlabel_kapi.c
+++ b/net/netlabel/netlabel_kapi.c
@@ -38,6 +38,7 @@
 #include "netlabel_domainhash.h"
 #include "netlabel_unlabeled.h"
 #include "netlabel_user.h"
+#include "netlabel_mgmt.h"
 
 /*
  * Security Attribute Functions
@@ -245,6 +246,26 @@ int netlbl_secattr_catmap_setrng(struct netlbl_lsm_secattr_catmap *catmap,
  */
 
 /**
+ * netlbl_enabled - Determine if the NetLabel subsystem is enabled
+ *
+ * Description:
+ * The LSM can use this function to determine if it should use NetLabel
+ * security attributes in it's enforcement mechanism.  Currently, NetLabel is
+ * considered to be enabled when it's configuration contains a valid setup for
+ * at least one labeled protocol (i.e. NetLabel can understand incoming
+ * labeled packets of at least one type); otherwise NetLabel is considered to
+ * be disabled.
+ *
+ */
+int netlbl_enabled(void)
+{
+	/* At some point we probably want to expose this mechanism to the
+	 * user as well so that admins can toggle NetLabel regardless of
+	 * the configuration */
+	return (netlbl_mgmt_protocount_value() > 0 ? 1 : 0);
+}
+
+/**
  * netlbl_socket_setattr - Label a socket using the correct protocol
  * @sk: the socket to label
  * @secattr: the security attributes
diff --git a/net/netlabel/netlabel_mgmt.c b/net/netlabel/netlabel_mgmt.c
index e00fc21..5315dac 100644
--- a/net/netlabel/netlabel_mgmt.c
+++ b/net/netlabel/netlabel_mgmt.c
@@ -42,6 +42,10 @@
 #include "netlabel_user.h"
 #include "netlabel_mgmt.h"
 
+/* NetLabel configured protocol count */
+static DEFINE_SPINLOCK(netlabel_mgmt_protocount_lock);
+static u32 netlabel_mgmt_protocount = 0;
+
 /* Argument struct for netlbl_domhsh_walk() */
 struct netlbl_domhsh_walk_arg {
 	struct netlink_callback *nl_cb;
@@ -67,6 +71,67 @@ static const struct nla_policy netlbl_mgmt_genl_policy[NLBL_MGMT_A_MAX + 1] = {
 };
 
 /*
+ * NetLabel Misc Managment Functions
+ */
+
+/**
+ * netlbl_mgmt_protocount_inc - Increment the configured labeled protocol count
+ *
+ * Description:
+ * Increment the number of labeled protocol configurations in the current
+ * NetLabel configuration.  Keep track of this for use in determining if
+ * NetLabel label enforcement should be active/enabled or not in the LSM.
+ *
+ */
+void netlbl_mgmt_protocount_inc(void)
+{
+	rcu_read_lock();
+	spin_lock(&netlabel_mgmt_protocount_lock);
+	netlabel_mgmt_protocount++;
+	spin_unlock(&netlabel_mgmt_protocount_lock);
+	rcu_read_unlock();
+}
+
+/**
+ * netlbl_mgmt_protocount_dec - Decrement the configured labeled protocol count
+ *
+ * Description:
+ * Decrement the number of labeled protocol configurations in the current
+ * NetLabel configuration.  Keep track of this for use in determining if
+ * NetLabel label enforcement should be active/enabled or not in the LSM.
+ *
+ */
+void netlbl_mgmt_protocount_dec(void)
+{
+	rcu_read_lock();
+	spin_lock(&netlabel_mgmt_protocount_lock);
+	if (netlabel_mgmt_protocount > 0)
+		netlabel_mgmt_protocount--;
+	spin_unlock(&netlabel_mgmt_protocount_lock);
+	rcu_read_unlock();
+}
+
+/**
+ * netlbl_mgmt_protocount_value - Return the number of configured protocols
+ *
+ * Description:
+ * Return the number of labeled protocols in the current NetLabel
+ * configuration.  This value is useful in  determining if NetLabel label
+ * enforcement should be active/enabled or not in the LSM.
+ *
+ */
+u32 netlbl_mgmt_protocount_value(void)
+{
+	u32 val;
+
+	rcu_read_lock();
+	val = netlabel_mgmt_protocount;
+	rcu_read_unlock();
+
+	return val;
+}
+
+/*
  * NetLabel Command Handlers
  */
 
diff --git a/net/netlabel/netlabel_mgmt.h b/net/netlabel/netlabel_mgmt.h
index 3642d3b..ccb2b39 100644
--- a/net/netlabel/netlabel_mgmt.h
+++ b/net/netlabel/netlabel_mgmt.h
@@ -168,4 +168,9 @@ enum {
 /* NetLabel protocol functions */
 int netlbl_mgmt_genl_init(void);
 
+/* NetLabel misc management functions */
+void netlbl_mgmt_protocount_inc(void);
+void netlbl_mgmt_protocount_dec(void);
+u32 netlbl_mgmt_protocount_value(void);
+
 #endif
diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c
index e64eca2..ed9155b 100644
--- a/security/selinux/netlabel.c
+++ b/security/selinux/netlabel.c
@@ -155,6 +155,11 @@ int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, u32 base_sid, u32 *sid)
 	int rc;
 	struct netlbl_lsm_secattr secattr;
 
+	if (!netlbl_enabled()) {
+		*sid = SECSID_NULL;
+		return 0;
+	}
+
 	netlbl_secattr_init(&secattr);
 	rc = netlbl_skbuff_getattr(skb, &secattr);
 	if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE)
@@ -298,6 +303,9 @@ int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
 	u32 netlbl_sid;
 	u32 recv_perm;
 
+	if (!netlbl_enabled())
+		return 0;
+
 	rc = selinux_netlbl_skbuff_getsid(skb,
 					  SECINITSID_UNLABELED,
 					  &netlbl_sid);
-- 
1.5.0.6

[PATCH 2/2] SELinux: use SECINITSID_NETMSG instead of SECINITSID_UNLABELED for NetLabel

[James Morris]

From: Paul Moore <paul.moore@hp.com>

These changes will make NetLabel behave like labeled IPsec where there is 
an access check for both labeled and unlabeled packets as well as 
providing the ability to restrict domains to receiving only labeled 
packets when NetLabel is in use.  The changes to the policy are straight 
forward with the following necessary to receive labeled traffic (with 
SECINITSID_NETMSG defined as "netlabel_peer_t"):

 allow mydom_t netlabel_peer_t:{ tcp_socket udp_socket rawip_socket } recvfrom;

The policy for unlabeled traffic would be:

 allow mydom_t unlabeled_t:{ tcp_socket udp_socket rawip_socket } recvfrom;

These policy changes, as well as more general NetLabel support, are 
included in the latest SELinux Reference Policy release 20070629 or later.  
Users who make use of NetLabel are strongly encouraged to upgrade their 
policy to avoid network problems.

Signed-off-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: James Morris <jmorris@namei.org>
---
 security/selinux/hooks.c    |   21 +++++++++++----------
 security/selinux/netlabel.c |   41 ++++++++++++++++++++---------------------
 2 files changed, 31 insertions(+), 31 deletions(-)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 78c3f98..aff8f46 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3129,17 +3129,19 @@ static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
 /**
  * selinux_skb_extlbl_sid - Determine the external label of a packet
  * @skb: the packet
- * @base_sid: the SELinux SID to use as a context for MLS only external labels
  * @sid: the packet's SID
  *
  * Description:
  * Check the various different forms of external packet labeling and determine
- * the external SID for the packet.
+ * the external SID for the packet.  If only one form of external labeling is
+ * present then it is used, if both labeled IPsec and NetLabel labels are
+ * present then the SELinux type information is taken from the labeled IPsec
+ * SA and the MLS sensitivity label information is taken from the NetLabel
+ * security attributes.  This bit of "magic" is done in the call to
+ * selinux_netlbl_skbuff_getsid().
  *
  */
-static void selinux_skb_extlbl_sid(struct sk_buff *skb,
-				   u32 base_sid,
-				   u32 *sid)
+static void selinux_skb_extlbl_sid(struct sk_buff *skb, u32 *sid)
 {
 	u32 xfrm_sid;
 	u32 nlbl_sid;
@@ -3147,10 +3149,9 @@ static void selinux_skb_extlbl_sid(struct sk_buff *skb,
 	selinux_skb_xfrm_sid(skb, &xfrm_sid);
 	if (selinux_netlbl_skbuff_getsid(skb,
 					 (xfrm_sid == SECSID_NULL ?
-					  base_sid : xfrm_sid),
+					  SECINITSID_NETMSG : xfrm_sid),
 					 &nlbl_sid) != 0)
 		nlbl_sid = SECSID_NULL;
-
 	*sid = (nlbl_sid == SECSID_NULL ? xfrm_sid : nlbl_sid);
 }
 
@@ -3695,7 +3696,7 @@ static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *
 	if (sock && sock->sk->sk_family == PF_UNIX)
 		selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid);
 	else if (skb)
-		selinux_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &peer_secid);
+		selinux_skb_extlbl_sid(skb, &peer_secid);
 
 	if (peer_secid == SECSID_NULL)
 		err = -EINVAL;
@@ -3756,7 +3757,7 @@ static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
 	u32 newsid;
 	u32 peersid;
 
-	selinux_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &peersid);
+	selinux_skb_extlbl_sid(skb, &peersid);
 	if (peersid == SECSID_NULL) {
 		req->secid = sksec->sid;
 		req->peer_secid = SECSID_NULL;
@@ -3794,7 +3795,7 @@ static void selinux_inet_conn_established(struct sock *sk,
 {
 	struct sk_security_struct *sksec = sk->sk_security;
 
-	selinux_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &sksec->peer_sid);
+	selinux_skb_extlbl_sid(skb, &sksec->peer_sid);
 }
 
 static void selinux_req_classify_flow(const struct request_sock *req,
diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c
index ed9155b..051b14c 100644
--- a/security/selinux/netlabel.c
+++ b/security/selinux/netlabel.c
@@ -163,9 +163,7 @@ int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, u32 base_sid, u32 *sid)
 	netlbl_secattr_init(&secattr);
 	rc = netlbl_skbuff_getattr(skb, &secattr);
 	if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE)
-		rc = security_netlbl_secattr_to_sid(&secattr,
-						    base_sid,
-						    sid);
+		rc = security_netlbl_secattr_to_sid(&secattr, base_sid, sid);
 	else
 		*sid = SECSID_NULL;
 	netlbl_secattr_destroy(&secattr);
@@ -203,7 +201,7 @@ void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock)
 	if (netlbl_sock_getattr(sk, &secattr) == 0 &&
 	    secattr.flags != NETLBL_SECATTR_NONE &&
 	    security_netlbl_secattr_to_sid(&secattr,
-					   SECINITSID_UNLABELED,
+					   SECINITSID_NETMSG,
 					   &nlbl_peer_sid) == 0)
 		sksec->peer_sid = nlbl_peer_sid;
 	netlbl_secattr_destroy(&secattr);
@@ -300,41 +298,42 @@ int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
 				struct avc_audit_data *ad)
 {
 	int rc;
-	u32 netlbl_sid;
-	u32 recv_perm;
+	u32 nlbl_sid;
+	u32 perm;
+	struct netlbl_lsm_secattr secattr;
 
 	if (!netlbl_enabled())
 		return 0;
 
-	rc = selinux_netlbl_skbuff_getsid(skb,
-					  SECINITSID_UNLABELED,
-					  &netlbl_sid);
+	netlbl_secattr_init(&secattr);
+	rc = netlbl_skbuff_getattr(skb, &secattr);
+	if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE)
+		rc = security_netlbl_secattr_to_sid(&secattr,
+						    SECINITSID_NETMSG,
+						    &nlbl_sid);
+	else
+		nlbl_sid = SECINITSID_UNLABELED;
+	netlbl_secattr_destroy(&secattr);
 	if (rc != 0)
 		return rc;
 
-	if (netlbl_sid == SECSID_NULL)
-		return 0;
-
 	switch (sksec->sclass) {
 	case SECCLASS_UDP_SOCKET:
-		recv_perm = UDP_SOCKET__RECVFROM;
+		perm = UDP_SOCKET__RECVFROM;
 		break;
 	case SECCLASS_TCP_SOCKET:
-		recv_perm = TCP_SOCKET__RECVFROM;
+		perm = TCP_SOCKET__RECVFROM;
 		break;
 	default:
-		recv_perm = RAWIP_SOCKET__RECVFROM;
+		perm = RAWIP_SOCKET__RECVFROM;
 	}
 
-	rc = avc_has_perm(sksec->sid,
-			  netlbl_sid,
-			  sksec->sclass,
-			  recv_perm,
-			  ad);
+	rc = avc_has_perm(sksec->sid, nlbl_sid, sksec->sclass, perm, ad);
 	if (rc == 0)
 		return 0;
 
-	netlbl_skbuff_err(skb, rc);
+	if (nlbl_sid != SECINITSID_UNLABELED)
+		netlbl_skbuff_err(skb, rc);
 	return rc;
 }
 
-- 
1.5.0.6

Re: [PATCH 0/2] SELinux Netlabel updates

[Linus Torvalds]

On Tue, 17 Jul 2007, James Morris wrote:
> 
> These are updated Netlabel/SELinux changes from Paul, reworked so that 
> they don't break userspace.  Michal says they work for him.  Please apply 
> for 2.6.23.

They don't work AT ALL for me:

	security/selinux/ss/sidtab.o: In function `netlbl_enabled':
	sidtab.c:(.text+0x0): multiple definition of `netlbl_enabled'
	security/selinux/ss/ebitmap.o:ebitmap.c:(.text+0x0): first defined here

Tssk.

That dummy "netlbl_enabled()" should be "static inline", methinks.

Also, that <net/netlabel.h> file has two blocks after each other of

	#ifdef CONFIG_NETLABEL
	..
	#else
	..
	#endif

	#ifdef CONFIG_NETLABEL
	..
	#else
	..
	#endif

which might as well be cleaned up at the same time (and might have avoided 
this bug, since then the people involved would have seen the _correct_ 
example in the first version)

Please fix up and ask me to pull again. Preferably by actually fixing up 
the commit itself, so that we don't unnecessarily have revisions that 
don't even compile and thus potentially screw up git-bisect attempts.

			Linus

Re: [PATCH 0/2] SELinux Netlabel updates

[Michal Piotrowski]

Linus Torvalds pisze:
> 
> On Tue, 17 Jul 2007, James Morris wrote:
>> These are updated Netlabel/SELinux changes from Paul, reworked so that 
>> they don't break userspace.  Michal says they work for him.  Please apply 
>> for 2.6.23.
> 
> They don't work AT ALL for me:
> 
> 	security/selinux/ss/sidtab.o: In function `netlbl_enabled':
> 	sidtab.c:(.text+0x0): multiple definition of `netlbl_enabled'
> 	security/selinux/ss/ebitmap.o:ebitmap.c:(.text+0x0): first defined here
> 
> Tssk.

Once again I tested both patches, build log shows only this

Root device is (8, 1)
Setup is 10264 bytes (padded to 10752 bytes).
System is 2040 kB
WARNING: vmlinux(.text+0xc1001183): Section mismatch: reference to .init.text:start_kernel (between 'is386' and 'check_x87')
WARNING: vmlinux(.text+0xc126dafb): Section mismatch: reference to .init.text: (between 'rest_init' and 'kthreadd_setup')
WARNING: vmlinux(.text+0xc1271a3b): Section mismatch: reference to .init.text: (between 'iret_exc' and '_etext')
WARNING: vmlinux(.text+0xc1271a48): Section mismatch: reference to .init.text: (between 'iret_exc' and '_etext')
WARNING: vmlinux(.text+0xc1271a54): Section mismatch: reference to .init.text: (between 'iret_exc' and '_etext')
WARNING: vmlinux(.text+0xc1271a60): Section mismatch: reference to .init.text: (between 'iret_exc' and '_etext')
WARNING: vmlinux(.text+0xc126dc11): Section mismatch: reference to .init.text:__alloc_bootmem_node (between 'alloc_node_mem_
map' and 'zone_wait_table_init')
WARNING: vmlinux(.text+0xc126dc9b): Section mismatch: reference to .init.text:__alloc_bootmem_node (between 'zone_wait_table
_init' and '__sched_text_start')
WARNING: vmlinux(.text+0xc1272252): Section mismatch: reference to .init.text: (between 'iret_exc' and '_etext')

gcc --version
gcc (GCC) 4.1.2 20070502 (Red Hat 4.1.2-12)

> 
> That dummy "netlbl_enabled()" should be "static inline", methinks.
> 
> Also, that <net/netlabel.h> file has two blocks after each other of
> 
> 	#ifdef CONFIG_NETLABEL
> 	..
> 	#else
> 	..
> 	#endif
> 
> 	#ifdef CONFIG_NETLABEL
> 	..
> 	#else
> 	..
> 	#endif
> 
> which might as well be cleaned up at the same time (and might have avoided 
> this bug, since then the people involved would have seen the _correct_ 
> example in the first version)
> 
> Please fix up and ask me to pull again. Preferably by actually fixing up 
> the commit itself, so that we don't unnecessarily have revisions that 
> don't even compile and thus potentially screw up git-bisect attempts.
> 
> 			Linus
> 

Regards,
Michal

-- 
LOG
http://www.stardust.webpages.pl/log/

Re: [PATCH 0/2] SELinux Netlabel updates

[Linus Torvalds]

On Wed, 18 Jul 2007, Michal Piotrowski wrote:
> 
> Once again I tested both patches, build log shows only this

You clearly didn't test them with CONFIG_NETLABEL set to off, or you have 
a buggy compiler.

You had

	int netlbl_enabled(void)
	{
		return 0;
	}

in a header file.

Now think for a moment what happens when that header file gets included 
multiple times from different C files?

		Linus

Re: [PATCH 0/2] SELinux Netlabel updates

[Paul Moore]

On Tuesday 17 July 2007 8:24:55 pm Linus Torvalds wrote:
> On Tue, 17 Jul 2007, James Morris wrote:
> > These are updated Netlabel/SELinux changes from Paul, reworked so that
> > they don't break userspace.  Michal says they work for him.  Please apply
> > for 2.6.23.
>
> They don't work AT ALL for me:
>
> 	security/selinux/ss/sidtab.o: In function `netlbl_enabled':
> 	sidtab.c:(.text+0x0): multiple definition of `netlbl_enabled'
> 	security/selinux/ss/ebitmap.o:ebitmap.c:(.text+0x0): first defined here
>
> Tssk.
>
> That dummy "netlbl_enabled()" should be "static inline", methinks.
>
> Also, that <net/netlabel.h> file has two blocks after each other of
>
> 	#ifdef CONFIG_NETLABEL
> 	..
> 	#else
> 	..
> 	#endif
>
> 	#ifdef CONFIG_NETLABEL
> 	..
> 	#else
> 	..
> 	#endif
>
> which might as well be cleaned up at the same time (and might have avoided
> this bug, since then the people involved would have seen the _correct_
> example in the first version)

Oh my.  I'll fix this and get another version out to James and Michal tomorrow 
morning; I have to spend the rest of the night smacking myself in the 
forehead.

-- 
paul moore
linux security @ hp