| Message ID | CAHC9VhRj-vx8AnP5tKcq9joNqWSHRv1bk+3e7DGU9mxjN+fVFg@mail.gmail.com (mailing list archive) |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [GIT,PULL] SELinux patches for v5.5 | expand |
The pull request you sent on Tue, 26 Nov 2019 16:24:34 -0500:
> git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git tags/selinux-pr-20191126
has been merged into torvalds/linux.git:
https://git.kernel.org/torvalds/c/ba75082efc18ced6def42e8f85c494aa2578760e
Thank you!
[Truncated Cc list, adding Roberto and the initramfs mailing list] Hi Paul, On Tue, 2019-11-26 at 16:24 -0500, Paul Moore wrote: > - Allow file labeling before the policy is loaded. This should ease > some of the burden when the policy is initially loaded (no need to > relabel files), but it should also help enable some new system > concepts which dynamically create the root filesystem in the initrd. Any chance you're planning on using Roberto's patches for including security xattrs in the initramfs?[1] Any help reviewing his patches would be much appreciated! thanks, Mimi [1] https://www.spinics.net/lists/linux-initramfs/msg04771.html
On Mon, Dec 2, 2019 at 10:58 AM Mimi Zohar <zohar@linux.ibm.com> wrote: > [Truncated Cc list, adding Roberto and the initramfs mailing list] > > Hi Paul, > > On Tue, 2019-11-26 at 16:24 -0500, Paul Moore wrote: > > > - Allow file labeling before the policy is loaded. This should ease > > some of the burden when the policy is initially loaded (no need to > > relabel files), but it should also help enable some new system > > concepts which dynamically create the root filesystem in the initrd. > > Any chance you're planning on using Roberto's patches for including > security xattrs in the initramfs?[1] > [1] https://www.spinics.net/lists/linux-initramfs/msg04771.html I'm assuming you're not asking about me personally? ;) However, just in case, I'll probably wait until it is picked up by the various distributions; somehow I haven't yet found the time to roll my own distribution for personal use ;) > Any help reviewing his patches > would be much appreciated! I would love to help, but given my current workload I'm not sure how timely the review would be, I would suggest reaching out to the distributions who maintain the userspace (and have asked for this feature).
On Mon, 2019-12-02 at 15:04 -0500, Paul Moore wrote: > On Mon, Dec 2, 2019 at 10:58 AM Mimi Zohar <zohar@linux.ibm.com> wrote: > > [Truncated Cc list, adding Roberto and the initramfs mailing list] > > > > Hi Paul, > > > > On Tue, 2019-11-26 at 16:24 -0500, Paul Moore wrote: > > > > > - Allow file labeling before the policy is loaded. This should ease > > > some of the burden when the policy is initially loaded (no need to > > > relabel files), but it should also help enable some new system > > > concepts which dynamically create the root filesystem in the initrd. > > > > Any chance you're planning on using Roberto's patches for including > > security xattrs in the initramfs?[1] > > [1] https://www.spinics.net/lists/linux-initramfs/msg04771.html > > I'm assuming you're not asking about me personally? ;) No, of course not. I was wondering if "help enable some new system concepts which dynamically create the root filesystem in the initrd" adds SELinux labels on the root filesystem. Mimi
On December 2, 2019 9:00:35 PM Mimi Zohar <zohar@linux.ibm.com> wrote: > On Mon, 2019-12-02 at 15:04 -0500, Paul Moore wrote: >> On Mon, Dec 2, 2019 at 10:58 AM Mimi Zohar <zohar@linux.ibm.com> wrote: >>> [Truncated Cc list, adding Roberto and the initramfs mailing list] >>> >>> Hi Paul, >>> >>> On Tue, 2019-11-26 at 16:24 -0500, Paul Moore wrote: >>> >>>> - Allow file labeling before the policy is loaded. This should ease >>>> some of the burden when the policy is initially loaded (no need to >>>> relabel files), but it should also help enable some new system >>>> concepts which dynamically create the root filesystem in the initrd. >>> >>> Any chance you're planning on using Roberto's patches for including >>> security xattrs in the initramfs?[1] >>> [1] https://www.spinics.net/lists/linux-initramfs/msg04771.html >> >> I'm assuming you're not asking about me personally? ;) > > No, of course not. I was wondering if "help enable some new system > concepts which dynamically create the root filesystem in the initrd" > adds SELinux labels on the root filesystem. Once again, that is more of a distro specific question. -- paul moore www.paul-moore.com
> -----Original Message----- > From: owner-linux-security-module@vger.kernel.org [mailto:owner-linux- > security-module@vger.kernel.org] On Behalf Of Paul Moore > Sent: Tuesday, December 3, 2019 3:15 AM > To: Mimi Zohar <zohar@linux.ibm.com> > Cc: selinux@vger.kernel.org; linux-security-module@vger.kernel.org; > Roberto Sassu <roberto.sassu@huawei.com>; initramfs > <initramfs@vger.kernel.org> > Subject: Re: [GIT PULL] SELinux patches for v5.5 > > On December 2, 2019 9:00:35 PM Mimi Zohar <zohar@linux.ibm.com> > wrote: > > > On Mon, 2019-12-02 at 15:04 -0500, Paul Moore wrote: > >> On Mon, Dec 2, 2019 at 10:58 AM Mimi Zohar <zohar@linux.ibm.com> > wrote: > >>> [Truncated Cc list, adding Roberto and the initramfs mailing list] > >>> > >>> Hi Paul, > >>> > >>> On Tue, 2019-11-26 at 16:24 -0500, Paul Moore wrote: > >>> > >>>> - Allow file labeling before the policy is loaded. This should ease > >>>> some of the burden when the policy is initially loaded (no need to > >>>> relabel files), but it should also help enable some new system > >>>> concepts which dynamically create the root filesystem in the initrd. > >>> > >>> Any chance you're planning on using Roberto's patches for including > >>> security xattrs in the initramfs?[1] > >>> [1] https://www.spinics.net/lists/linux-initramfs/msg04771.html > >> > >> I'm assuming you're not asking about me personally? ;) > > > > No, of course not. I was wondering if "help enable some new system > > concepts which dynamically create the root filesystem in the initrd" > > adds SELinux labels on the root filesystem. > > Once again, that is more of a distro specific question. If recent changes allow file labeling before the SELinux policy is loaded, I think it would help the mechanism I developed. The SELinux label, IMA/EVM signature can be included in the ram disk (standard CPIO image), in a special file named METADATA!!! that follows the file xattrs are applied to. Roberto
Hi Linus, Only three SELinux patches for v5.5, all passing the test suite and listed below, please merge them for v5.5. - Remove the size limit on SELinux policies, the limitation was a lingering vestige and no longer necessary. - Allow file labeling before the policy is loaded. This should ease some of the burden when the policy is initially loaded (no need to relabel files), but it should also help enable some new system concepts which dynamically create the root filesystem in the initrd. - Add support for the "greatest lower bound" policy construct which is defined as the intersection of the MLS range of two SELinux labels. Thanks, -Paul -- The following changes since commit 54ecb8f7028c5eb3d740bb82b0f1d90f2df63c5c: Linux 5.4-rc1 (2019-09-30 10:35:40 -0700) are available in the Git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git tags/selinux-pr-20191126 for you to fetch changes up to 42345b68c2e3e2b6549fc34b937ff44240dfc3b6: selinux: default_range glblub implementation (2019-10-07 19:01:35 -0400) ---------------------------------------------------------------- selinux/stable-5.5 PR 20191126 ---------------------------------------------------------------- Jonathan Lebon (1): selinux: allow labeling before policy is loaded Joshua Brindle (1): selinux: default_range glblub implementation zhanglin (1): selinux: remove load size limit security/selinux/hooks.c | 12 ++++++++++++ security/selinux/include/security.h | 3 ++- security/selinux/selinuxfs.c | 4 ---- security/selinux/ss/context.h | 32 ++++++++++++++++++++++++++++++++ security/selinux/ss/ebitmap.c | 18 ++++++++++++++++++ security/selinux/ss/ebitmap.h | 1 + security/selinux/ss/mls.c | 3 +++ security/selinux/ss/policydb.c | 5 +++++ security/selinux/ss/policydb.h | 1 + 9 files changed, 74 insertions(+), 5 deletions(-)