Linux-Security-Module Archive on lore.kernel.org
 help / Atom feed
* SELinux testsuite failure in overlayfs with v4.20-rc kernels
@ 2018-12-12 22:18 James Morris
  2018-12-12 22:24 ` Paul Moore
  0 siblings, 1 reply; 5+ messages in thread
From: James Morris @ 2018-12-12 22:18 UTC (permalink / raw)
  To: selinux
  Cc: Paul Moore, Stephen Smalley, linux-security-module, mszeredi,
	J. Bruce Fields

The SELinux testsuite is failing in the overlayfs tests in current -rc 
kernels. I bisected the issue to

commit 007ea44892e6fa963a0876a979e34890325c64eb
Author: Miklos Szeredi <mszeredi@redhat.com>
Date:   Fri Oct 26 23:34:39 2018 +0200

    ovl: relax permission checking on underlying layers
    
    Make permission checking more consistent:
    
     - special files don't need any access check on underling fs
    
     - exec permission check doesn't need to be performed on underlying fs
    
    Reported-by: "J. Bruce Fields" <bfields@fieldses.org>
    Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>

Reverting this commit fixes the testsuite failure.

Is there any more information on the rationale for the change?


-- 
James Morris
<jmorris@namei.org>


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: SELinux testsuite failure in overlayfs with v4.20-rc kernels
  2018-12-12 22:18 SELinux testsuite failure in overlayfs with v4.20-rc kernels James Morris
@ 2018-12-12 22:24 ` Paul Moore
  2018-12-12 23:35   ` James Morris
  2018-12-12 23:37   ` James Morris
  0 siblings, 2 replies; 5+ messages in thread
From: Paul Moore @ 2018-12-12 22:24 UTC (permalink / raw)
  To: James Morris
  Cc: selinux, Stephen Smalley, linux-security-module, mszeredi, bfields

On Wed, Dec 12, 2018 at 5:19 PM James Morris <jmorris@namei.org> wrote:
> The SELinux testsuite is failing in the overlayfs tests in current -rc
> kernels. I bisected the issue to
>
> commit 007ea44892e6fa963a0876a979e34890325c64eb
> Author: Miklos Szeredi <mszeredi@redhat.com>
> Date:   Fri Oct 26 23:34:39 2018 +0200
>
>     ovl: relax permission checking on underlying layers
>
>     Make permission checking more consistent:
>
>      - special files don't need any access check on underling fs
>
>      - exec permission check doesn't need to be performed on underlying fs
>
>     Reported-by: "J. Bruce Fields" <bfields@fieldses.org>
>     Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
>
> Reverting this commit fixes the testsuite failure.
>
> Is there any more information on the rationale for the change?

This is a known problem, see the archive link below, with Miklos
promising to send a revert to Linus for v4.20.  I just pinged him
earlier this week to remind him, but I haven't heard back yet and I
don't see anything in Linus' tree.

I would much prefer if Miklos sent the revert, but if he doesn't send
the revert by the end of the week, I'm going to send one next week.

https://lore.kernel.org/selinux/CAJfpeguJoEOEjQs4ZpJQaJXF-xCnevUApzNobwmqNX27KQ4vHQ@mail.gmail.com

-- 
paul moore
www.paul-moore.com

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: SELinux testsuite failure in overlayfs with v4.20-rc kernels
  2018-12-12 22:24 ` Paul Moore
@ 2018-12-12 23:35   ` James Morris
  2018-12-12 23:37   ` James Morris
  1 sibling, 0 replies; 5+ messages in thread
From: James Morris @ 2018-12-12 23:35 UTC (permalink / raw)
  To: Paul Moore
  Cc: selinux, Stephen Smalley, linux-security-module, mszeredi, bfields

On Wed, 12 Dec 2018, Paul Moore wrote:

> This is a known problem, see the archive link below, with Miklos
> promising to send a revert to Linus for v4.20.  I just pinged him
> earlier this week to remind him, but I haven't heard back yet and I
> don't see anything in Linus' tree.

Ahh, looks like the mailing list change meant my mail filters weren't 
separating the SELinux postings out for me and I missed these.

-- 
James Morris
<jmorris@namei.org>


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: SELinux testsuite failure in overlayfs with v4.20-rc kernels
  2018-12-12 22:24 ` Paul Moore
  2018-12-12 23:35   ` James Morris
@ 2018-12-12 23:37   ` James Morris
  2018-12-13 14:33     ` Paul Moore
  1 sibling, 1 reply; 5+ messages in thread
From: James Morris @ 2018-12-12 23:37 UTC (permalink / raw)
  To: Paul Moore
  Cc: selinux, Stephen Smalley, linux-security-module, mszeredi, bfields

On Wed, 12 Dec 2018, Paul Moore wrote:

> I would much prefer if Miklos sent the revert, but if he doesn't send
> the revert by the end of the week, I'm going to send one next week.

The revert was posted today.

-- 
James Morris
<jmorris@namei.org>


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: SELinux testsuite failure in overlayfs with v4.20-rc kernels
  2018-12-12 23:37   ` James Morris
@ 2018-12-13 14:33     ` Paul Moore
  0 siblings, 0 replies; 5+ messages in thread
From: Paul Moore @ 2018-12-13 14:33 UTC (permalink / raw)
  To: James Morris
  Cc: selinux, Stephen Smalley, linux-security-module, mszeredi, bfields

On Wed, Dec 12, 2018 at 6:37 PM James Morris <jmorris@namei.org> wrote:
> On Wed, 12 Dec 2018, Paul Moore wrote:
>
> > I would much prefer if Miklos sent the revert, but if he doesn't send
> > the revert by the end of the week, I'm going to send one next week.
>
> The revert was posted today.

Good news, thanks for the heads-up.  I don't watch all the mailing
lists, I've just been watching Linus' tree.  I don't see it there this
morning, but if it was posted yesterday I imagine it will be merged in
for -rc7.

-- 
paul moore
www.paul-moore.com

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, back to index

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-12-12 22:18 SELinux testsuite failure in overlayfs with v4.20-rc kernels James Morris
2018-12-12 22:24 ` Paul Moore
2018-12-12 23:35   ` James Morris
2018-12-12 23:37   ` James Morris
2018-12-13 14:33     ` Paul Moore

Linux-Security-Module Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-security-module/0 linux-security-module/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-security-module linux-security-module/ https://lore.kernel.org/linux-security-module \
		linux-security-module@vger.kernel.org linux-security-module@archiver.kernel.org
	public-inbox-index linux-security-module


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-security-module


AGPL code for this site: git clone https://public-inbox.org/ public-inbox