RE: [PATCH 0/2] [PATCH 0/2] Updated NetLabel/secid-reconciliation bits and a bugfix

RE: [PATCH 0/2] [PATCH 0/2] Updated NetLabel/secid-reconciliation bits and a bugfix

[Venkat Yekkirala]

> > As for the rest of the network labeling, please work 
> together with Venkat 
> > and the SELinux developers on a final patchset which meets 
> all of the 
> > design goals and has been tested, with policy which has been merged 
> > upstream and is available via Fedora devel.  Please keep 
> the discussion 
> > going, but ensure that the final patchset for review and merge 
> > consideration is a complete set against the current git 
> kernel coming from 
> > one person.
> 
> I'm trying :)  When I posted the NetLabel secid support patch 
> last week
> I asked Venkat if he could merge it with the main secid 
> patchset (due to
> size and dependencies that seemed like the most reasonable course of
> action).  For reasons I'm not aware of he chose not to.

FYI- I am no NetLabel expert, and the pathset I sent out that day included
the peersid changes. And since you were going to have to post a patch for
that
again, I thought it best you ported and reposted the entire patch again.

>  As a result I
> keep posting updated patches backed against Venkat's latest and
> incorporating the latest feedback.

And let's keep this going like this on the selinux list. When all the
testing is done and selinux ok's the patchsets, I will combine them
and send them onto netdev. How does that sound?

> 
> Venkat, can you please merge the latest my latest NetLabel 
> secid support
> patch in with your next release?

I would, but it currently is premature. As James says, let's
get policy done, the design proven, and tested and then we will
go to netdev with one patchset.

Re: [PATCH 0/2] [PATCH 0/2] Updated NetLabel/secid-reconciliation bits and a bugfix

[Paul Moore]

Venkat Yekkirala wrote:
>>>As for the rest of the network labeling, please work 
>>
>>together with Venkat 
>>
>>>and the SELinux developers on a final patchset which meets 
>>
>>all of the 
>>
>>>design goals and has been tested, with policy which has been merged 
>>>upstream and is available via Fedora devel.  Please keep 
>>
>>the discussion 
>>
>>>going, but ensure that the final patchset for review and merge 
>>>consideration is a complete set against the current git 
>>
>>kernel coming from 
>>
>>>one person.
>>
>>I'm trying :)  When I posted the NetLabel secid support patch 
>>last week
>>I asked Venkat if he could merge it with the main secid 
>>patchset (due to
>>size and dependencies that seemed like the most reasonable course of
>>action).  For reasons I'm not aware of he chose not to.
> 
> 
> FYI- I am no NetLabel expert, and the pathset I sent out that day included
> the peersid changes. And since you were going to have to post a patch for
> that
> again, I thought it best you ported and reposted the entire patch again.

I'm not talking about the peer_sid changes, although I'm glad they are
part of the secid patchset - thank you.  I'm talking about the patch I
keep reposting to include NetLabel is the secid reconciliation path.

There was a secid patchset posted on Thursday (9/28) night, I posted the
a patch on Friday (9/29) to provide NetLabel support.

There was a secid patchset posted on Sunday (10/1) night, I respun the
NetLabel support patch on Monday (10/2) - "v2".

I respun the NetLabel support patch to take into account Stephen
Smalley's comments on Monday (10/2) - "v3".

There was a small update to the secid patches yesterday (10/3) so I
respun the NetLabel support patch (10/4) - "v4".

>> As a result I
>>keep posting updated patches backed against Venkat's latest and
>>incorporating the latest feedback.
>  
> And let's keep this going like this on the selinux list. When all the
> testing is done and selinux ok's the patchsets, I will combine them
> and send them onto netdev. How does that sound?

Yes, the discussion is a good one I don't want to disrupt that.

I would prefer if all of the patches were in one patchset, pushed out by
one person as that would save me from having to respin my patch if all I
need to do is update it for the latest secid patches.  I think that has
value so people can review/test/etc all of the parts as one coherent
patchset.  However, it's ultimately up to you as you are the one working
on the main secid patchset.

>>Venkat, can you please merge the latest my latest NetLabel 
>>secid support
>>patch in with your next release?
>  
> I would, but it currently is premature. As James says, let's
> get policy done, the design proven, and tested and then we will
> go to netdev with one patchset.

I think it's easier to decide on policy, review the design, and test it
all if there is one place/patchset with all of the latest bits/patches.
 Right not it's not that easy with different patches scattered around.

-- 
paul moore
linux security @ hp

[PATCH 0/2] [PATCH 0/2] Updated NetLabel/secid-reconciliation bits and a bugfix

[paul.moore]

This patchset includes an update to the NetLabel/secid-reconciliation patch,
replacing my "v3" patch from earlier this week, and a bugfix patch to cure a
race condition found during testing this week.  The bugfix patch does not
rely on the secid patches and should be merged regardless as it fixes a bug
which has been around since the very first NetLabel patches (not sure why I
didn't see this sooner).

--
paul moore
linux security @ hp

Re: [PATCH 0/2] [PATCH 0/2] Updated NetLabel/secid-reconciliation bits and a bugfix

[James Morris]

On Wed, 4 Oct 2006, paul.moore@hp.com wrote:

> This patchset includes an update to the NetLabel/secid-reconciliation patch,
> replacing my "v3" patch from earlier this week, and a bugfix patch to cure a
> race condition found during testing this week.  The bugfix patch does not
> rely on the secid patches and should be merged regardless as it fixes a bug
> which has been around since the very first NetLabel patches (not sure why I
> didn't see this sooner).

So, patch 2/2 should go in on it's own against upstream?  If so, in 5B
future, please post such patches separately.

As for the rest of the network labeling, please work together with Venkat 
and the SELinux developers on a final patchset which meets all of the 
design goals and has been tested, with policy which has been merged 
upstream and is available via Fedora devel.  Please keep the discussion 
going, but ensure that the final patchset for review and merge 
consideration is a complete set against the current git kernel coming from 
one person.

Thanks,



- James
-- 
James Morris
<jmorris@namei.org>

Re: [PATCH 0/2] [PATCH 0/2] Updated NetLabel/secid-reconciliation bits and a bugfix

[Paul Moore]

James Morris wrote:
> On Wed, 4 Oct 2006, paul.moore@hp.com wrote:
> 
>>This patchset includes an update to the NetLabel/secid-reconciliation patch,
>>replacing my "v3" patch from earlier this week, and a bugfix patch to cure a
>>race condition found during testing this week.  The bugfix patch does not
>>rely on the secid patches and should be merged regardless as it fixes a bug
>>which has been around since the very first NetLabel patches (not sure why I
>>didn't see this sooner).
> 
> So, patch 2/2 should go in on it's own against upstream?  If so, in 5B
> future, please post such patches separately.

Yes, please commit patch 2/2 regardless as it fixes a bug which is not
dependent on any of the secid patches which are being discussed.  My
apologies for including it in the same patchset, I'll be sure to split
it up next time.

> As for the rest of the network labeling, please work together with Venkat 
> and the SELinux developers on a final patchset which meets all of the 
> design goals and has been tested, with policy which has been merged 
> upstream and is available via Fedora devel.  Please keep the discussion 
> going, but ensure that the final patchset for review and merge 
> consideration is a complete set against the current git kernel coming from 
> one person.

I'm trying :)  When I posted the NetLabel secid support patch last week
I asked Venkat if he could merge it with the main secid patchset (due to
size and dependencies that seemed like the most reasonable course of
action).  For reasons I'm not aware of he chose not to.  As a result I
keep posting updated patches backed against Venkat's latest and
incorporating the latest feedback.

Venkat, can you please merge the latest my latest NetLabel secid support
patch in with your next release?  If not, would you have a problem if I
pushed out a patchset which included your latest patches with the
NetLabel secid support patch and we used this patchset as the basis for
future work?

-- 
paul moore
linux security @ hp

Re: [PATCH 0/2] [PATCH 0/2] Updated NetLabel/secid-reconciliation bits and a bugfix

[James Morris]

On Wed, 4 Oct 2006, Paul Moore wrote:

> > So, patch 2/2 should go in on it's own against upstream?  If so, in 5B
> > future, please post such patches separately.
> 
> Yes, please commit patch 2/2 regardless as it fixes a bug which is not
> dependent on any of the secid patches which are being discussed.  My
> apologies for including it in the same patchset, I'll be sure to split
> it up next time.

Applied.

http://git.infradead.org/?p=users/jmorris/selinux-2.6.git

(This repo may move soon).


-- 
James Morris
<jmorris@namei.org>