From mboxrd@z Thu Jan 1 00:00:00 1970 From: sds@tycho.nsa.gov (Stephen Smalley) Date: Fri, 31 Aug 2018 12:16:21 -0400 Subject: WARNING in apparmor_secid_to_secctx In-Reply-To: References: <000000000000c178e305749daba4@google.com> <37aec45f-69ad-9705-21f1-64ee4ce4a772@tycho.nsa.gov> Message-ID: <9537a6ff-daf4-d572-bf93-68230909b68e@tycho.nsa.gov> To: linux-security-module@vger.kernel.org List-Id: linux-security-module.vger.kernel.org On 08/31/2018 12:07 PM, Paul Moore wrote: > On Fri, Aug 31, 2018 at 12:01 PM Stephen Smalley wrote: >> On 08/29/2018 10:21 PM, Dmitry Vyukov wrote: >>> On Wed, Aug 29, 2018 at 7:17 PM, syzbot >>> wrote: >>>> Hello, >>>> >>>> syzbot found the following crash on: >>>> >>>> HEAD commit: 817e60a7a2bb Merge branch 'nfp-add-NFP5000-support' >>>> git tree: net-next >>>> console output: https://syzkaller.appspot.com/x/log.txt?x=1536d296400000 >>>> kernel config: https://syzkaller.appspot.com/x/.config?x=531a917630d2a492 >>>> dashboard link: https://syzkaller.appspot.com/bug?extid=21016130b0580a9de3b5 >>>> compiler: gcc (GCC) 8.0.1 20180413 (experimental) >>>> >>>> Unfortunately, I don't have any reproducer for this crash yet. >>>> >>>> IMPORTANT: if you fix the bug, please add the following tag to the commit: >>>> Reported-by: syzbot+21016130b0580a9de3b5 at syzkaller.appspotmail.com >>> >>> Hi John, Tyler, >>> >>> I've switched syzbot from selinux to apparmor as we discussed on lss: >>> https://github.com/google/syzkaller/commit/2c6cb254ae6c06f61e3aba21bb89ffb05b5db946 >> >> Sorry, does this mean that you are no longer testing selinux via syzbot? >> That seems unfortunate. SELinux is default-enabled and used in >> Fedora, RHEL and all derivatives (e.g. CentOS), and mandatory in Android >> (and seemingly getting some use in ChromeOS now as well, at least for >> the Android container and possibly wider), so it seems unwise to drop it >> from your testing altogether. I was under the impression that you were >> just going to add apparmor to your testing matrix, not drop selinux >> altogether. > > It is also important to note that testing with SELinux enabled but no > policy loaded is not going to be very helpful (last we talked that is > what syzbot is/was doing). While syzbot did uncover some issues > relating to the enabled-no-policy case, those are much less > interesting and less relevant than the loaded-policy case. I had thought that they had switched over to at least loading a policy but possibly left it in permissive mode because the base distribution didn't properly support SELinux out of the box. But I may be mistaken. Regardless, the right solution is to migrate to testing with a policy loaded not to stop testing altogether. Optimally, they'd test on at least one distribution/OS where SELinux is in fact supported out of the box, e.g. CentOS, Android, and/or ChromeOS.