Message ID | CAHC9VhRj-vx8AnP5tKcq9joNqWSHRv1bk+3e7DGU9mxjN+fVFg@mail.gmail.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | [GIT,PULL] SELinux patches for v5.5 | expand |
The pull request you sent on Tue, 26 Nov 2019 16:24:34 -0500:
> git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git tags/selinux-pr-20191126
has been merged into torvalds/linux.git:
https://git.kernel.org/torvalds/c/ba75082efc18ced6def42e8f85c494aa2578760e
Thank you!
[Truncated Cc list, adding Roberto and the initramfs mailing list] Hi Paul, On Tue, 2019-11-26 at 16:24 -0500, Paul Moore wrote: > - Allow file labeling before the policy is loaded. This should ease > some of the burden when the policy is initially loaded (no need to > relabel files), but it should also help enable some new system > concepts which dynamically create the root filesystem in the initrd. Any chance you're planning on using Roberto's patches for including security xattrs in the initramfs?[1] Any help reviewing his patches would be much appreciated! thanks, Mimi [1] https://www.spinics.net/lists/linux-initramfs/msg04771.html
On Mon, Dec 2, 2019 at 10:58 AM Mimi Zohar <zohar@linux.ibm.com> wrote: > [Truncated Cc list, adding Roberto and the initramfs mailing list] > > Hi Paul, > > On Tue, 2019-11-26 at 16:24 -0500, Paul Moore wrote: > > > - Allow file labeling before the policy is loaded. This should ease > > some of the burden when the policy is initially loaded (no need to > > relabel files), but it should also help enable some new system > > concepts which dynamically create the root filesystem in the initrd. > > Any chance you're planning on using Roberto's patches for including > security xattrs in the initramfs?[1] > [1] https://www.spinics.net/lists/linux-initramfs/msg04771.html I'm assuming you're not asking about me personally? ;) However, just in case, I'll probably wait until it is picked up by the various distributions; somehow I haven't yet found the time to roll my own distribution for personal use ;) > Any help reviewing his patches > would be much appreciated! I would love to help, but given my current workload I'm not sure how timely the review would be, I would suggest reaching out to the distributions who maintain the userspace (and have asked for this feature).
On Mon, 2019-12-02 at 15:04 -0500, Paul Moore wrote: > On Mon, Dec 2, 2019 at 10:58 AM Mimi Zohar <zohar@linux.ibm.com> wrote: > > [Truncated Cc list, adding Roberto and the initramfs mailing list] > > > > Hi Paul, > > > > On Tue, 2019-11-26 at 16:24 -0500, Paul Moore wrote: > > > > > - Allow file labeling before the policy is loaded. This should ease > > > some of the burden when the policy is initially loaded (no need to > > > relabel files), but it should also help enable some new system > > > concepts which dynamically create the root filesystem in the initrd. > > > > Any chance you're planning on using Roberto's patches for including > > security xattrs in the initramfs?[1] > > [1] https://www.spinics.net/lists/linux-initramfs/msg04771.html > > I'm assuming you're not asking about me personally? ;) No, of course not. I was wondering if "help enable some new system concepts which dynamically create the root filesystem in the initrd" adds SELinux labels on the root filesystem. Mimi
On December 2, 2019 9:00:35 PM Mimi Zohar <zohar@linux.ibm.com> wrote: > On Mon, 2019-12-02 at 15:04 -0500, Paul Moore wrote: >> On Mon, Dec 2, 2019 at 10:58 AM Mimi Zohar <zohar@linux.ibm.com> wrote: >>> [Truncated Cc list, adding Roberto and the initramfs mailing list] >>> >>> Hi Paul, >>> >>> On Tue, 2019-11-26 at 16:24 -0500, Paul Moore wrote: >>> >>>> - Allow file labeling before the policy is loaded. This should ease >>>> some of the burden when the policy is initially loaded (no need to >>>> relabel files), but it should also help enable some new system >>>> concepts which dynamically create the root filesystem in the initrd. >>> >>> Any chance you're planning on using Roberto's patches for including >>> security xattrs in the initramfs?[1] >>> [1] https://www.spinics.net/lists/linux-initramfs/msg04771.html >> >> I'm assuming you're not asking about me personally? ;) > > No, of course not. I was wondering if "help enable some new system > concepts which dynamically create the root filesystem in the initrd" > adds SELinux labels on the root filesystem. Once again, that is more of a distro specific question. -- paul moore www.paul-moore.com
> -----Original Message----- > From: owner-linux-security-module@vger.kernel.org [mailto:owner-linux- > security-module@vger.kernel.org] On Behalf Of Paul Moore > Sent: Tuesday, December 3, 2019 3:15 AM > To: Mimi Zohar <zohar@linux.ibm.com> > Cc: selinux@vger.kernel.org; linux-security-module@vger.kernel.org; > Roberto Sassu <roberto.sassu@huawei.com>; initramfs > <initramfs@vger.kernel.org> > Subject: Re: [GIT PULL] SELinux patches for v5.5 > > On December 2, 2019 9:00:35 PM Mimi Zohar <zohar@linux.ibm.com> > wrote: > > > On Mon, 2019-12-02 at 15:04 -0500, Paul Moore wrote: > >> On Mon, Dec 2, 2019 at 10:58 AM Mimi Zohar <zohar@linux.ibm.com> > wrote: > >>> [Truncated Cc list, adding Roberto and the initramfs mailing list] > >>> > >>> Hi Paul, > >>> > >>> On Tue, 2019-11-26 at 16:24 -0500, Paul Moore wrote: > >>> > >>>> - Allow file labeling before the policy is loaded. This should ease > >>>> some of the burden when the policy is initially loaded (no need to > >>>> relabel files), but it should also help enable some new system > >>>> concepts which dynamically create the root filesystem in the initrd. > >>> > >>> Any chance you're planning on using Roberto's patches for including > >>> security xattrs in the initramfs?[1] > >>> [1] https://www.spinics.net/lists/linux-initramfs/msg04771.html > >> > >> I'm assuming you're not asking about me personally? ;) > > > > No, of course not. I was wondering if "help enable some new system > > concepts which dynamically create the root filesystem in the initrd" > > adds SELinux labels on the root filesystem. > > Once again, that is more of a distro specific question. If recent changes allow file labeling before the SELinux policy is loaded, I think it would help the mechanism I developed. The SELinux label, IMA/EVM signature can be included in the ram disk (standard CPIO image), in a special file named METADATA!!! that follows the file xattrs are applied to. Roberto