archive mirror
 help / color / mirror / Atom feed
From: Paul Moore <>
To: Linus Torvalds <>
Subject: [GIT PULL] SELinux patches for v6.5
Date: Mon, 26 Jun 2023 17:28:15 -0400	[thread overview]
Message-ID: <> (raw)

Hi Linus,

We've got a number of SELinux patches for v6.5, but nothing too scary.
It is worth mentioning that there is a minor merge conflict in
security/selinux/Makefile (due to the quick fix sent during the
v6.4-rcX cycle); the proper way to resolve the conflict is to simply
take the version in this pull request.

Here is a quick summary of the changes:

- Thanks to help from the MPTCP folks, it looks like we have finally
sorted out a proper solution to the MPTCP socket labeling issue, see
the new security_mptcp_add_subflow() LSM hook.

- Fix the labeled NFS handling such that a labeled NFS share mounted
prior to the initial SELinux policy load is properly labeled once a
policy is loaded; more information in the commit description.

- Two patches to security/selinux/Makefile, the first took the
cleanups in v6.4 a bit further and the second removed the grouped
targets support as that functionality doesn't appear to be properly
supported prior to make v4.3.

- Deprecate the "fs" object context type in SELinux policies.  The fs
object context type was an old vestige that was introduced back in
v2.6.12-rc2 but never really used.

- A number of small changes that remove dead code, clean up some
awkward bits, and generally improve the quality of the code.  See the
individual commit descriptions for more information.


The following changes since commit ac9a78681b921877518763ba0e89202254349d1b:

 Linux 6.4-rc1 (2023-05-07 13:34:35 -0700)

are available in the Git repository at:

for you to fetch changes up to 447a5688005e5b789633bd080016517a08f9fd8d:

 selinux: avoid bool as identifier name (2023-06-05 17:04:01 -0400)

selinux/stable-6.5 PR 20230626

Christian Göttsche (10):
     selinux: do not leave dangling pointer behind
     selinux: adjust typos in comments
     selinux: avc: drop unused function avc_disable()
     selinux: drop return at end of void function avc_insert()
     selinux: retain const qualifier on string literal in avtab_hash_eval()
     selinux: declare read-only data arrays const
     selinux: keep context struct members in sync
     selinux: make header files self-including
     selinux: deprecated fs ocon
     selinux: avoid bool as identifier name

Ondrej Mosnacek (1):
     selinux: make labeled NFS work when mounted before policy load

Paolo Abeni (2):
     security, lsm: Introduce security_mptcp_add_subflow()
     selinux: Implement mptcp_add_subflow hook

Paul Moore (3):
     selinux: more Makefile tweaks
     selinux: small cleanups in selinux_audit_rule_init()
     selinux: fix Makefile for versions of make < v4.3

Xiu Jianfeng (1):
     selinux: cleanup exit_sel_fs() declaration

include/linux/lsm_hook_defs.h                    |  1 +
include/linux/security.h                         |  6 ++
net/mptcp/subflow.c                              |  6 ++
security/security.c                              | 17 ++++++
security/selinux/Makefile                        | 28 ++++++---
security/selinux/avc.c                           | 20 ------
security/selinux/hooks.c                         | 78 +++++++++++++++-----
security/selinux/ima.c                           |  2 +-
security/selinux/include/audit.h                 |  2 +-
security/selinux/include/avc.h                   |  3 -
security/selinux/include/ibpkey.h                |  1 +
security/selinux/include/ima.h                   |  2 +-
security/selinux/include/initial_sid_to_string.h |  3 +
security/selinux/include/security.h              |  2 +-
security/selinux/netlabel.c                      |  8 ++-
security/selinux/selinuxfs.c                     |  4 +-
security/selinux/ss/avtab.c                      |  2 +-
security/selinux/ss/avtab.h                      |  2 +-
security/selinux/ss/conditional.c                |  8 +--
security/selinux/ss/conditional.h                |  2 +-
security/selinux/ss/context.h                    |  2 +
security/selinux/ss/policydb.c                   |  6 +-
security/selinux/ss/policydb.h                   |  2 +-
security/selinux/ss/services.c                   | 40 ++++++------
24 files changed, 158 insertions(+), 89 deletions(-)


             reply	other threads:[~2023-06-26 21:28 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-06-26 21:28 Paul Moore [this message]
2023-06-28  1:01 ` [GIT PULL] SELinux patches for v6.5 pr-tracker-bot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='' \ \ \ \ \ \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).