Linux-Security-Module Archive on lore.kernel.org
 help / color / Atom feed
* [GIT PULL] SELinux patches for v5.5
@ 2019-11-26 21:24 Paul Moore
  2019-12-01  1:40 ` pr-tracker-bot
  2019-12-02 15:58 ` Mimi Zohar
  0 siblings, 2 replies; 7+ messages in thread
From: Paul Moore @ 2019-11-26 21:24 UTC (permalink / raw)
  To: Linus Torvalds; +Cc: selinux, linux-security-module, linux-kernel

Hi Linus,

Only three SELinux patches for v5.5, all passing the test suite and
listed below, please merge them for v5.5.

- Remove the size limit on SELinux policies, the limitation was a
lingering vestige and no longer necessary.

- Allow file labeling before the policy is loaded.  This should ease
some of the burden when the policy is initially loaded (no need to
relabel files), but it should also help enable some new system
concepts which dynamically create the root filesystem in the initrd.

- Add support for the "greatest lower bound" policy construct which is
defined as the intersection of the MLS range of two SELinux labels.

Thanks,
-Paul
--
The following changes since commit 54ecb8f7028c5eb3d740bb82b0f1d90f2df63c5c:

 Linux 5.4-rc1 (2019-09-30 10:35:40 -0700)

are available in the Git repository at:

 git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git
   tags/selinux-pr-20191126

for you to fetch changes up to 42345b68c2e3e2b6549fc34b937ff44240dfc3b6:

 selinux: default_range glblub implementation (2019-10-07 19:01:35 -0400)

----------------------------------------------------------------
selinux/stable-5.5 PR 20191126

----------------------------------------------------------------
Jonathan Lebon (1):
     selinux: allow labeling before policy is loaded

Joshua Brindle (1):
     selinux: default_range glblub implementation

zhanglin (1):
     selinux: remove load size limit

security/selinux/hooks.c            | 12 ++++++++++++
security/selinux/include/security.h |  3 ++-
security/selinux/selinuxfs.c        |  4 ----
security/selinux/ss/context.h       | 32 ++++++++++++++++++++++++++++++++
security/selinux/ss/ebitmap.c       | 18 ++++++++++++++++++
security/selinux/ss/ebitmap.h       |  1 +
security/selinux/ss/mls.c           |  3 +++
security/selinux/ss/policydb.c      |  5 +++++
security/selinux/ss/policydb.h      |  1 +
9 files changed, 74 insertions(+), 5 deletions(-)

-- 
paul moore
www.paul-moore.com

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [GIT PULL] SELinux patches for v5.5
  2019-11-26 21:24 [GIT PULL] SELinux patches for v5.5 Paul Moore
@ 2019-12-01  1:40 ` pr-tracker-bot
  2019-12-02 15:58 ` Mimi Zohar
  1 sibling, 0 replies; 7+ messages in thread
From: pr-tracker-bot @ 2019-12-01  1:40 UTC (permalink / raw)
  To: Paul Moore; +Cc: Linus Torvalds, selinux, linux-security-module, linux-kernel

The pull request you sent on Tue, 26 Nov 2019 16:24:34 -0500:

> git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git tags/selinux-pr-20191126

has been merged into torvalds/linux.git:
https://git.kernel.org/torvalds/c/ba75082efc18ced6def42e8f85c494aa2578760e

Thank you!

-- 
Deet-doot-dot, I am a bot.
https://korg.wiki.kernel.org/userdoc/prtracker

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [GIT PULL] SELinux patches for v5.5
  2019-11-26 21:24 [GIT PULL] SELinux patches for v5.5 Paul Moore
  2019-12-01  1:40 ` pr-tracker-bot
@ 2019-12-02 15:58 ` Mimi Zohar
  2019-12-02 20:04   ` Paul Moore
  1 sibling, 1 reply; 7+ messages in thread
From: Mimi Zohar @ 2019-12-02 15:58 UTC (permalink / raw)
  To: Paul Moore; +Cc: selinux, linux-security-module, Roberto Sassu, initramfs

[Truncated Cc list, adding Roberto and the initramfs mailing list]

Hi Paul,

On Tue, 2019-11-26 at 16:24 -0500, Paul Moore wrote:

> - Allow file labeling before the policy is loaded.  This should ease
> some of the burden when the policy is initially loaded (no need to
> relabel files), but it should also help enable some new system
> concepts which dynamically create the root filesystem in the initrd.

Any chance you're planning on using Roberto's patches for including
security xattrs in the initramfs?[1]  Any help reviewing his patches
would be much appreciated!

thanks,

Mimi

[1] https://www.spinics.net/lists/linux-initramfs/msg04771.html


^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [GIT PULL] SELinux patches for v5.5
  2019-12-02 15:58 ` Mimi Zohar
@ 2019-12-02 20:04   ` Paul Moore
  2019-12-03  2:00     ` Mimi Zohar
  0 siblings, 1 reply; 7+ messages in thread
From: Paul Moore @ 2019-12-02 20:04 UTC (permalink / raw)
  To: Mimi Zohar; +Cc: selinux, linux-security-module, Roberto Sassu, initramfs

On Mon, Dec 2, 2019 at 10:58 AM Mimi Zohar <zohar@linux.ibm.com> wrote:
> [Truncated Cc list, adding Roberto and the initramfs mailing list]
>
> Hi Paul,
>
> On Tue, 2019-11-26 at 16:24 -0500, Paul Moore wrote:
>
> > - Allow file labeling before the policy is loaded.  This should ease
> > some of the burden when the policy is initially loaded (no need to
> > relabel files), but it should also help enable some new system
> > concepts which dynamically create the root filesystem in the initrd.
>
> Any chance you're planning on using Roberto's patches for including
> security xattrs in the initramfs?[1]
> [1] https://www.spinics.net/lists/linux-initramfs/msg04771.html

I'm assuming you're not asking about me personally? ;)

However, just in case, I'll probably wait until it is picked up by the
various distributions; somehow I haven't yet found the time to roll my
own distribution for personal use ;)

> Any help reviewing his patches
> would be much appreciated!

I would love to help, but given my current workload I'm not sure how
timely the review would be, I would suggest reaching out to the
distributions who maintain the userspace (and have asked for this
feature).

-- 
paul moore
www.paul-moore.com

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [GIT PULL] SELinux patches for v5.5
  2019-12-02 20:04   ` Paul Moore
@ 2019-12-03  2:00     ` Mimi Zohar
  2019-12-03  2:14       ` Paul Moore
  0 siblings, 1 reply; 7+ messages in thread
From: Mimi Zohar @ 2019-12-03  2:00 UTC (permalink / raw)
  To: Paul Moore; +Cc: selinux, linux-security-module, Roberto Sassu, initramfs

On Mon, 2019-12-02 at 15:04 -0500, Paul Moore wrote:
> On Mon, Dec 2, 2019 at 10:58 AM Mimi Zohar <zohar@linux.ibm.com> wrote:
> > [Truncated Cc list, adding Roberto and the initramfs mailing list]
> >
> > Hi Paul,
> >
> > On Tue, 2019-11-26 at 16:24 -0500, Paul Moore wrote:
> >
> > > - Allow file labeling before the policy is loaded.  This should ease
> > > some of the burden when the policy is initially loaded (no need to
> > > relabel files), but it should also help enable some new system
> > > concepts which dynamically create the root filesystem in the initrd.
> >
> > Any chance you're planning on using Roberto's patches for including
> > security xattrs in the initramfs?[1]
> > [1] https://www.spinics.net/lists/linux-initramfs/msg04771.html
> 
> I'm assuming you're not asking about me personally? ;)

No, of course not.  I was wondering if "help enable some new system
concepts which dynamically create the root filesystem in the initrd"
adds SELinux labels on the root filesystem.

Mimi


^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [GIT PULL] SELinux patches for v5.5
  2019-12-03  2:00     ` Mimi Zohar
@ 2019-12-03  2:14       ` Paul Moore
  2019-12-03  7:57         ` Roberto Sassu
  0 siblings, 1 reply; 7+ messages in thread
From: Paul Moore @ 2019-12-03  2:14 UTC (permalink / raw)
  To: Mimi Zohar; +Cc: selinux, linux-security-module, Roberto Sassu, initramfs

On December 2, 2019 9:00:35 PM Mimi Zohar <zohar@linux.ibm.com> wrote:

> On Mon, 2019-12-02 at 15:04 -0500, Paul Moore wrote:
>> On Mon, Dec 2, 2019 at 10:58 AM Mimi Zohar <zohar@linux.ibm.com> wrote:
>>> [Truncated Cc list, adding Roberto and the initramfs mailing list]
>>>
>>> Hi Paul,
>>>
>>> On Tue, 2019-11-26 at 16:24 -0500, Paul Moore wrote:
>>>
>>>> - Allow file labeling before the policy is loaded.  This should ease
>>>> some of the burden when the policy is initially loaded (no need to
>>>> relabel files), but it should also help enable some new system
>>>> concepts which dynamically create the root filesystem in the initrd.
>>>
>>> Any chance you're planning on using Roberto's patches for including
>>> security xattrs in the initramfs?[1]
>>> [1] https://www.spinics.net/lists/linux-initramfs/msg04771.html
>>
>> I'm assuming you're not asking about me personally? ;)
>
> No, of course not.  I was wondering if "help enable some new system
> concepts which dynamically create the root filesystem in the initrd"
> adds SELinux labels on the root filesystem.

Once again, that is more of a distro specific question.

--
paul moore
www.paul-moore.com




^ permalink raw reply	[flat|nested] 7+ messages in thread

* RE: [GIT PULL] SELinux patches for v5.5
  2019-12-03  2:14       ` Paul Moore
@ 2019-12-03  7:57         ` Roberto Sassu
  0 siblings, 0 replies; 7+ messages in thread
From: Roberto Sassu @ 2019-12-03  7:57 UTC (permalink / raw)
  To: Paul Moore, Mimi Zohar
  Cc: selinux, linux-security-module, initramfs, Silviu Vlasceanu

> -----Original Message-----
> From: owner-linux-security-module@vger.kernel.org [mailto:owner-linux-
> security-module@vger.kernel.org] On Behalf Of Paul Moore
> Sent: Tuesday, December 3, 2019 3:15 AM
> To: Mimi Zohar <zohar@linux.ibm.com>
> Cc: selinux@vger.kernel.org; linux-security-module@vger.kernel.org;
> Roberto Sassu <roberto.sassu@huawei.com>; initramfs
> <initramfs@vger.kernel.org>
> Subject: Re: [GIT PULL] SELinux patches for v5.5
> 
> On December 2, 2019 9:00:35 PM Mimi Zohar <zohar@linux.ibm.com>
> wrote:
> 
> > On Mon, 2019-12-02 at 15:04 -0500, Paul Moore wrote:
> >> On Mon, Dec 2, 2019 at 10:58 AM Mimi Zohar <zohar@linux.ibm.com>
> wrote:
> >>> [Truncated Cc list, adding Roberto and the initramfs mailing list]
> >>>
> >>> Hi Paul,
> >>>
> >>> On Tue, 2019-11-26 at 16:24 -0500, Paul Moore wrote:
> >>>
> >>>> - Allow file labeling before the policy is loaded.  This should ease
> >>>> some of the burden when the policy is initially loaded (no need to
> >>>> relabel files), but it should also help enable some new system
> >>>> concepts which dynamically create the root filesystem in the initrd.
> >>>
> >>> Any chance you're planning on using Roberto's patches for including
> >>> security xattrs in the initramfs?[1]
> >>> [1] https://www.spinics.net/lists/linux-initramfs/msg04771.html
> >>
> >> I'm assuming you're not asking about me personally? ;)
> >
> > No, of course not.  I was wondering if "help enable some new system
> > concepts which dynamically create the root filesystem in the initrd"
> > adds SELinux labels on the root filesystem.
> 
> Once again, that is more of a distro specific question.

If recent changes allow file labeling before the SELinux policy is loaded,
I think it would help the mechanism I developed. The SELinux label,
IMA/EVM signature can be included in the ram disk (standard CPIO image),
in a special file named METADATA!!! that follows the file xattrs are applied to.

Roberto

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, back to index

Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-11-26 21:24 [GIT PULL] SELinux patches for v5.5 Paul Moore
2019-12-01  1:40 ` pr-tracker-bot
2019-12-02 15:58 ` Mimi Zohar
2019-12-02 20:04   ` Paul Moore
2019-12-03  2:00     ` Mimi Zohar
2019-12-03  2:14       ` Paul Moore
2019-12-03  7:57         ` Roberto Sassu

Linux-Security-Module Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-security-module/0 linux-security-module/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-security-module linux-security-module/ https://lore.kernel.org/linux-security-module \
		linux-security-module@vger.kernel.org
	public-inbox-index linux-security-module

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-security-module


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git