[GIT PULL] SELinux patches for 3.17

[GIT PULL] SELinux patches for 3.17

[Paul Moore]

Hi James,

Here are the SELinux patches for 3.17.  A total of eight patches, none 
particularly controversial: a few cleanups, a few bug fixes, and a minor tweak 
to reduce the SELinux overhead during boot.  One nice thing is that we remove 
more code than we add in 3.17, so if nothing else we're doing our part to 
fight code bloat :)

All the patches pass the SELinux testsuite and apply cleanly on top of linux-
security #next.

Enjoy,
-Paul

---
The following changes since commit 170b5910d9fbea79de1bb40df22eda5f98250c0c:

  Merge tag 'v3.15' into next (2014-06-17 17:30:23 -0400)

are available in the git repository at:


  git://git.infradead.org/users/pcmoore/selinux next

for you to fetch changes up to 615e51fdda6f274e94b1e905fcaf6111e0d9aa20:

  selinux: reduce the number of calls to synchronize_net() when flushing
           caches (2014-06-26 14:33:56 -0400)

----------------------------------------------------------------
Gideon Israel Dsouza (1):
      security: Used macros from compiler.h instead of __attribute__((...))

Himangi Saraogi (1):
      SELinux: use ARRAY_SIZE

Masahiro Yamada (1):
      selinux, kbuild: remove unnecessary $(hostprogs-y) from clean-files

Namhyung Kim (3):
      selinux: introduce str_read() helper
      selinux: simple cleanup for cond_read_node()
      selinux: fix a possible memory leak in cond_read_node()

Paul Moore (1):
      selinux: reduce the number of calls to synchronize_net() when flushing
               caches

Waiman Long (1):
      selinux: no recursive read_lock of policy_rwlock in security_genfs_sid()

 scripts/selinux/genheaders/Makefile |   1 -
 scripts/selinux/mdp/Makefile        |   2 +-
 security/selinux/hooks.c            |  14 ++++
 security/selinux/include/netif.h    |   2 +
 security/selinux/include/netnode.h  |   2 +
 security/selinux/include/netport.h  |   2 +
 security/selinux/include/security.h |   3 +-
 security/selinux/netif.c            |  15 +---
 security/selinux/netnode.c          |  15 +---
 security/selinux/netport.c          |  15 +---
 security/selinux/ss/conditional.c   |  11 +--
 security/selinux/ss/policydb.c      | 141 ++++++++++------------------------
 security/selinux/ss/services.c      |  41 ++++++++---
 13 files changed, 102 insertions(+), 162 deletions(-)

-- 
paul moore
security and virtualization @ redhat

Re: [GIT PULL] SELinux patches for 3.17

[James Morris]

On Fri, 18 Jul 2014, Paul Moore wrote:

> Hi James,
> 
> Here are the SELinux patches for 3.17.  A total of eight patches, none 
> particularly controversial: a few cleanups, a few bug fixes, and a minor tweak 
> to reduce the SELinux overhead during boot.  One nice thing is that we remove 
> more code than we add in 3.17, so if nothing else we're doing our part to 
> fight code bloat :)
> 
> All the patches pass the SELinux testsuite and apply cleanly on top of linux-
> security #next.

Thanks for testing!  Pulled.


-- 
James Morris
<jmorris@namei.org>

Re: [GIT PULL] SELinux patches for 3.17

[Paul Moore]

On Friday, July 18, 2014 03:37:19 PM Paul Moore wrote:
> Hi James,
> 
> Here are the SELinux patches for 3.17.  A total of eight patches, none
> particularly controversial: a few cleanups, a few bug fixes, and a minor
> tweak to reduce the SELinux overhead during boot...

Hi James,

A late addition to the SELinux patches for 3.17.  Normally I would just wait 
for the next release, but these patches are pretty significant (marked for 
stable as well) so I think they merit the late add.  I just posted the patches 
yesterday with an explanation so I won't bother repeating myself here since 
they are still likely fresh in your inbox.

I did a quick test pull and everything applies cleanly on top of the linux-
security #next tree.

Thanks,
-Paul

---
The following changes since commit 615e51fdda6f274e94b1e905fcaf6111e0d9aa20:

  selinux: reduce the number of calls to synchronize_net() when flushing
           caches (2014-06-26 14:33:56 -0400)

are available in the git repository at:

  git://git.infradead.org/users/pcmoore/selinux next

for you to fetch changes up to 4fbe63d1c773cceef3fe1f6ed0c9c268f4f24760:

  netlabel: shorter names for the NetLabel catmap funcs/structs
            (2014-08-01 11:17:37 -0400)

----------------------------------------------------------------
Paul Moore (4):
      netlabel: fix a problem when setting bits below the previously
                lowest bit
      netlabel: fix the horribly broken catmap functions
      netlabel: fix the catmap walking functions
      netlabel: shorter names for the NetLabel catmap funcs/structs

 include/net/netlabel.h        |  94 ++++++------
 net/ipv4/cipso_ipv4.c         |  47 +++---
 net/netlabel/netlabel_kapi.c  | 327 +++++++++++++++++++++++++++-----------
 security/selinux/ss/ebitmap.c | 133 +++++++----------
 security/selinux/ss/ebitmap.h |   8 +-
 security/smack/smack_access.c |  11 +-
 security/smack/smack_lsm.c    |   6 +-
 security/smack/smackfs.c      |  14 +-
 8 files changed, 366 insertions(+), 274 deletions(-)

-- 
paul moore
security and virtualization @ redhat

Re: [GIT PULL] SELinux patches for 3.17

[James Morris]

On Fri, 1 Aug 2014, Paul Moore wrote:

> On Friday, July 18, 2014 03:37:19 PM Paul Moore wrote:
> > Hi James,
> > 
> > Here are the SELinux patches for 3.17.  A total of eight patches, none
> > particularly controversial: a few cleanups, a few bug fixes, and a minor
> > tweak to reduce the SELinux overhead during boot...
> 
> Hi James,
> 
> A late addition to the SELinux patches for 3.17.  Normally I would just wait 
> for the next release, but these patches are pretty significant (marked for 
> stable as well) so I think they merit the late add.  I just posted the patches 
> yesterday with an explanation so I won't bother repeating myself here since 
> they are still likely fresh in your inbox.
> 
> I did a quick test pull and everything applies cleanly on top of the linux-
> security #next tree.

Thanks, pulled.

-- 
James Morris
<jmorris@namei.org>