-----Original Message-----
From: Stephen Smalley <[EMAIL PROTECTED]>
Date: Friday, Jul 13, 2007 3:30 pm
Subject: Re: The art of breaking userspace (was Re: [GIT] SELinux changes
for 2.6.23 (updated))
To: Michal Piotrowski <[EMAIL PROTECTED]>
CC: Paul Moore <[EMAIL PROTECTED]>, [EMAIL PROTECTED], [EMAIL PROTECTED],
linux-kernel@vger.kernel.org
On Fri, 2007-07-13 at 21:08 +0200, Michal Piotrowski wrote:
> Paul Moore pisze:
> [..]
> > On Fri, 13 Jul 2007, Michal Piotrowski wrote:
> >> My system is too secure, I can not login :)
> >>
> >> Do you have CONFIG_NETLABEL=y ?
> >>
> >> If so, please try disabling it.
> >
> > Disabling NetLabel should solve the problem.
>
> Disabling NetLabel solves the problem.
>
> > The recommended solution to this problem, as discussed on the SELinux list
> > and mentioned in the patch description, is to upgrade your SELinux policy
> > to the latest Reference Policy sources. For those with custom SELinux
> > policy, the patch description explains the changes to the SELinux policy
> > required.
>
> I'm sorry to say this, but this kind of patches should not be accepted.
>
> Patch
>
> commit 9faf65fb6ee2b4e08325ba2d69e5ccf0c46453d0
> Author: Paul Moore <[EMAIL PROTECTED]>
> Date: Fri Jun 29 11:48:16 2007 -0400
>
> SELinux: use SECINITSID_NETMSG instead of SECINITSID_UNLABELED for
> NetLabel
>
> These changes will make NetLabel behave like labeled IPsec where there is
> an
> access check for both labeled and unlabeled packets as well as providing
> the
> ability to restrict domains to receiving only labeled packets when
> NetLabel
> is in use. The changes to the policy are straight forward with the
> following necessary to receive labeled traffic (with SECINITSID_NETMSG
> defined as "netlabel_peer_t"):
>
> allow mydom_t netlabel_peer_t:{ tcp_socket udp_socket rawip_socket }
> recvfrom;
>
> The policy for unlabeled traffic would be:
>
> allow mydom_t unlabeled_t:{ tcp_socket udp_socket rawip_socket }
> recvfrom;
>
> These policy changes, as well as more general NetLabel support, are
> included
> in the SELinux Reference Policy SVN tree, r2352 or later. Users who
> enable
> NetLabel support in the kernel are strongly encouraged to upgrade their
> policy to avoid network problems.
>
> Signed-off-by: Paul Moore <[EMAIL PROTECTED]>
> Signed-off-by: James Morris <[EMAIL PROTECTED]>
>
>
> breaks systems with recent selinux policy.
>
> (rpm -qa selinux-policy-*
> selinux-policy-devel-2.6.4-25.fc7
> selinux-policy-targeted-2.6.4-25.fc7)
>
> I will add this as a regression unless Linus says "Fsck it! We don't care
> about compatibility"
>
>Agreed, it needs to be fixed in the netlabel code.
I'm stuck in the airport right now but I will send a patch out later tonight.
. paul moore
. linux security @ hp
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
