* RE: [PATCH 0/3] Fix for IPsec leakage with SELinux enabled - V.03
@ 2006-10-05 21:07 Venkat Yekkirala
2006-10-05 21:43 ` David Miller
0 siblings, 1 reply; 8+ messages in thread
From: Venkat Yekkirala @ 2006-10-05 21:07 UTC (permalink / raw)
To: David Miller, Venkat Yekkirala
Cc: netdev, selinux, jmorris, sds, eparis, johnpol, herbert
> > This version takes into account David Miller's comments
> > regarding treatment of security layer errors in the case
> > of socket policies. Specifically, these errors will be
> > treated like how these kind of errors are treated for
> > the main/sub policies, which is to return a full lookup
> > failure.
>
> I only have patches "1" and "3" in my inbox, did you forget
> to send the second one out or are they simply misnumbered?
>
My apologies. The second one is also numbered 1, but has the
following distinct subject line:
[PATCH 1/3] Fix for IPsec leakage with SELinux enabled - V.03: Fix xfrm code
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH 0/3] Fix for IPsec leakage with SELinux enabled - V.03
2006-10-05 21:07 [PATCH 0/3] Fix for IPsec leakage with SELinux enabled - V.03 Venkat Yekkirala
@ 2006-10-05 21:43 ` David Miller
0 siblings, 0 replies; 8+ messages in thread
From: David Miller @ 2006-10-05 21:43 UTC (permalink / raw)
To: vyekkirala; +Cc: netdev, selinux, jmorris, sds, eparis, johnpol, herbert
From: Venkat Yekkirala <vyekkirala@TrustedCS.com>
Date: Thu, 5 Oct 2006 17:07:59 -0400
> My apologies. The second one is also numbered 1, but has the
> following distinct subject line:
> [PATCH 1/3] Fix for IPsec leakage with SELinux enabled - V.03: Fix xfrm code
I definitely deleted one of them, since I usually get N copies
of very single patch posting and two of them looked identical:)
^ permalink raw reply [flat|nested] 8+ messages in thread
* RE: [PATCH 0/3] Fix for IPsec leakage with SELinux enabled - V.03
@ 2006-10-09 15:42 Venkat Yekkirala
0 siblings, 0 replies; 8+ messages in thread
From: Venkat Yekkirala @ 2006-10-09 15:42 UTC (permalink / raw)
To: David Miller, Venkat Yekkirala
Cc: netdev, selinux, jmorris, sds, eparis, johnpol, herbert
> > My apologies. The second one is also numbered 1, but has the
> > following distinct subject line:
> > [PATCH 1/3] Fix for IPsec leakage with SELinux enabled -
> V.03: Fix xfrm code
>
> I definitely deleted one of them, since I usually get N copies
> of very single patch posting and two of them looked identical:)
I guess this is probably the reason why I don't see the fix in net-2.6.git
yet :) I will resend the patchset with the subject titles fixed up since
it needs to be in 2.6.19.
^ permalink raw reply [flat|nested] 8+ messages in thread
* RE: [PATCH 0/3] Fix for IPsec leakage with SELinux enabled - V.03
@ 2006-10-05 21:21 Venkat Yekkirala
0 siblings, 0 replies; 8+ messages in thread
From: Venkat Yekkirala @ 2006-10-05 21:21 UTC (permalink / raw)
To: Venkat Yekkirala, 'David Miller'
Cc: 'netdev@vger.kernel.org', 'selinux@tycho.nsa.gov',
'jmorris@namei.org', 'sds@tycho.nsa.gov',
'eparis@redhat.com', 'johnpol@2ka.mipt.ru',
'herbert@gondor.apana.org.au'
> > > This version takes into account David Miller's comments
> > > regarding treatment of security layer errors in the case
> > > of socket policies. Specifically, these errors will be
> > > treated like how these kind of errors are treated for
> > > the main/sub policies, which is to return a full lookup
> > > failure.
> >
> > I only have patches "1" and "3" in my inbox, did you forget
> > to send the second one out or are they simply misnumbered?
> >
>
> My apologies. The second one is also numbered 1, but has the
> following distinct subject line:
> [PATCH 1/3] Fix for IPsec leakage with SELinux enabled -
> V.03: Fix xfrm code
In actuality, patch 2 in the series has the following subject line:
[PATCH 1/3] Fix for IPsec leakage with SELinux enabled - V.03
^ permalink raw reply [flat|nested] 8+ messages in thread
* [PATCH 0/3] Fix for IPsec leakage with SELinux enabled - V.03
@ 2006-10-05 20:42 Venkat Yekkirala
2006-10-05 21:05 ` David Miller
` (2 more replies)
0 siblings, 3 replies; 8+ messages in thread
From: Venkat Yekkirala @ 2006-10-05 20:42 UTC (permalink / raw)
To: netdev; +Cc: selinux, jmorris, sds, eparis, johnpol, herbert
This version takes into account David Miller's comments
regarding treatment of security layer errors in the case
of socket policies. Specifically, these errors will be
treated like how these kind of errors are treated for
the main/sub policies, which is to return a full lookup
failure.
include/linux/security.h | 24 ++-----
include/net/flow.h | 2
include/net/xfrm.h | 3
net/core/flow.c | 42 ++++++++----
net/ipv4/xfrm4_policy.c | 2
net/ipv6/xfrm6_policy.c | 2
net/key/af_key.c | 5 -
net/xfrm/xfrm_policy.c | 101 ++++++++++++++++++++++--------
net/xfrm/xfrm_user.c | 9 --
security/dummy.c | 3
security/selinux/include/xfrm.h | 3
security/selinux/xfrm.c | 53 ++++++++++++---
12 files changed, 162 insertions(+), 87 deletions(-)
^ permalink raw reply [flat|nested] 8+ messages in thread* Re: [PATCH 0/3] Fix for IPsec leakage with SELinux enabled - V.03
2006-10-05 20:42 Venkat Yekkirala
@ 2006-10-05 21:05 ` David Miller
2006-10-06 2:50 ` James Morris
2006-10-08 10:35 ` Evgeniy Polyakov
2 siblings, 0 replies; 8+ messages in thread
From: David Miller @ 2006-10-05 21:05 UTC (permalink / raw)
To: vyekkirala; +Cc: netdev, selinux, jmorris, sds, eparis, johnpol, herbert
From: Venkat Yekkirala <vyekkirala@trustedcs.com>
Date: Thu, 05 Oct 2006 15:42:13 -0500
> This version takes into account David Miller's comments
> regarding treatment of security layer errors in the case
> of socket policies. Specifically, these errors will be
> treated like how these kind of errors are treated for
> the main/sub policies, which is to return a full lookup
> failure.
I only have patches "1" and "3" in my inbox, did you forget
to send the second one out or are they simply misnumbered?
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH 0/3] Fix for IPsec leakage with SELinux enabled - V.03
2006-10-05 20:42 Venkat Yekkirala
2006-10-05 21:05 ` David Miller
@ 2006-10-06 2:50 ` James Morris
2006-10-08 10:35 ` Evgeniy Polyakov
2 siblings, 0 replies; 8+ messages in thread
From: James Morris @ 2006-10-06 2:50 UTC (permalink / raw)
To: Venkat Yekkirala, Stephen Smalley
Cc: netdev, selinux, Eric Paris, johnpol, Herbert Xu
These patches look ok to me. I've tested them and applied them to the git
tree [1].
Stephen, please let me know if you see any problems.
--
James Morris
<jmorris@namei.org>
[1] Git - git://git.infradead.org/~jmorris/selinux-2.6.git
Web - http://git.infradead.org/?p=users/jmorris/selinux-2.6.git;a=summary
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH 0/3] Fix for IPsec leakage with SELinux enabled - V.03
2006-10-05 20:42 Venkat Yekkirala
2006-10-05 21:05 ` David Miller
2006-10-06 2:50 ` James Morris
@ 2006-10-08 10:35 ` Evgeniy Polyakov
2 siblings, 0 replies; 8+ messages in thread
From: Evgeniy Polyakov @ 2006-10-08 10:35 UTC (permalink / raw)
To: Venkat Yekkirala; +Cc: netdev, selinux, jmorris, sds, eparis, herbert
On Thu, Oct 05, 2006 at 03:42:13PM -0500, Venkat Yekkirala (vyekkirala@trustedcs.com) wrote:
> This version takes into account David Miller's comments
> regarding treatment of security layer errors in the case
> of socket policies. Specifically, these errors will be
> treated like how these kind of errors are treated for
> the main/sub policies, which is to return a full lookup
> failure.
I applied all three patches and rerun my acrypto tests, which do not
show any unencrypted packets anymore, so I ack this changes since they
fix the problem.
Thanks.
--
Evgeniy Polyakov
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2006-10-09 15:42 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-10-05 21:07 [PATCH 0/3] Fix for IPsec leakage with SELinux enabled - V.03 Venkat Yekkirala
2006-10-05 21:43 ` David Miller
-- strict thread matches above, loose matches on Subject: below --
2006-10-09 15:42 Venkat Yekkirala
2006-10-05 21:21 Venkat Yekkirala
2006-10-05 20:42 Venkat Yekkirala
2006-10-05 21:05 ` David Miller
2006-10-06 2:50 ` James Morris
2006-10-08 10:35 ` Evgeniy Polyakov
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).