From: Stephen Smalley <stephen.smalley.work@gmail.com>
To: Paul Moore <paul@paul-moore.com>
Cc: SElinux list <selinux@vger.kernel.org>
Subject: Re: working-selinuxns rebase
Date: Thu, 20 Aug 2020 08:10:08 -0400 [thread overview]
Message-ID: <CAEjxPJ5cRbCogQ17aakpnMp_0nwDHbMQTqC69SXBA3JcmP1nuQ@mail.gmail.com> (raw)
In-Reply-To: <CAHC9VhTbOfFxtjWYytX4qC9hqeNuUV5dnfcES2qUtYzpuUnBuA@mail.gmail.com>
On Wed, Aug 19, 2020 at 9:28 PM Paul Moore <paul@paul-moore.com> wrote:
>
> On Tue, Aug 18, 2020 at 9:37 AM Stephen Smalley
> <stephen.smalley.work@gmail.com> wrote:
> >
> > I did a re-base of the working-selinuxns branch on top of latest next;
> > this required manual conflict fixes due to the encapsulation of the
> > policy state and refactoring of policy reload. The rebase can be
> > found at:
> > https://github.com/stephensmalley/selinux-kernel/tree/working-selinuxns-rebase
> >
> > It boots, passes the selinux-testsuite, and passes the following
> > trivial exercising of the unshare mechanism:
> > $ sudo bash
> > # echo 1 > /sys/fs/selinux/unshare
> > # unshare -m -n
> > # umount /sys/fs/selinux
> > # mount -t selinuxfs none /sys/fs/selinux
> > # id
> > uid=0(root) gid=0(root) groups=0(root) context=kernel
> > # getenforce
> > Permissive
> > # load_policy
> > # id
> > uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:kernel_t:s0
> >
> > All the same caveats apply - this is still not safe to use and has
> > many unresolved issues as noted in the patch descriptions.
>
> Thanks Stephen, do you mind if I pull that into the working-selinuxns
> branch in the main SELinux repo?
Unfortunately I need to re-base it again and manually fix conflicts
with my patch to avoid deferencing the policy prior to initialization.
And I'll need to do it again when/if the patch to convert the policy
rwlock to rcu lands. So you might want to wait. I'm starting to
wonder if the first patch in the series to rename selinux_state/state
to selinux_ns/ns throughout is a mistake because it produces a lot of
unnecessary conflicts. Originally I did it because that was the
original naming since the encapsulation started to support namespacing
and then I did a mass rename to selinux_state/state for upstreaming
since I wasn't yet upstreaming the actual namespace support. Renaming
it back again reduces conflicts in the later patches but makes the
first one a pain. But if I just do a mass rename on all the later
patches then I can drop the first one and avoid these unnecessary
conflicts. Thoughts?
next prev parent reply other threads:[~2020-08-20 12:11 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-18 13:37 working-selinuxns rebase Stephen Smalley
2020-08-20 1:28 ` Paul Moore
2020-08-20 12:10 ` Stephen Smalley [this message]
2020-08-21 1:16 ` Paul Moore
2020-08-21 21:00 ` Stephen Smalley
2020-08-26 20:50 ` Stephen Smalley
2020-08-26 20:54 ` Stephen Smalley
2020-08-31 15:52 ` Stephen Smalley
2020-09-02 15:20 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAEjxPJ5cRbCogQ17aakpnMp_0nwDHbMQTqC69SXBA3JcmP1nuQ@mail.gmail.com \
--to=stephen.smalley.work@gmail.com \
--cc=paul@paul-moore.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.