[GIT PULL] SELinux patches for v4.14

Discussion:

Paul Moore

2017-09-12 17:33:54 UTC

As discussed on the linux-security pull request thread, this is the
direct SELinux pull request; the content/tag is the same as what I
sent to James/linux-security earlier:

"A relatively quiet period for SELinux, 11 patches with only two/three
having any substantive changes. These noteworthy changes include
another tweak to the NNP/nosuid handling, per-file labeling for
cgroups, and an object class fix for AF_UNIX/SOCK_RAW sockets; the
rest of the changes are minor tweaks or administrative updates
(Stephen's email update explains the file explosion in the diffstat).
Everything passes the selinux-testsuite and merged cleanly on top of
the linux-security/next branch from earlier today."

---
The following changes since commit 31368ce83c59a5422ee621a38aeea98142d0ecf7:

tomoyo: Update URLs in Documentation/admin-guide/LSM/tomoyo.rst
(2017-07-25 11:00:26 +1000)

are available in the git repository at:

git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git
tags/selinux-pr-20170831

for you to fetch changes up to 0c3014f22dec0e1d14c8298551bfb6434638bdd9:

selinux: constify nf_hook_ops (2017-08-28 17:33:19 -0400)

----------------------------------------------------------------
selinux/stable-4.14 PR 20170831

----------------------------------------------------------------
Antonio Murdaca (1):
selinux: allow per-file labeling for cgroupfs

Arvind Yadav (1):
selinux: constify nf_hook_ops

Luis Ressel (1):
selinux: Assign proper class to PF_UNIX/SOCK_RAW sockets

Michal Hocko (1):
selinux: use GFP_NOWAIT in the AVC kmem_caches

Paul Moore (3):
credits: update Paul Moore's info
selinux: update the selinux info in MAINTAINERS
MAINTAINERS: update the NetLabel and Labeled Networking information

Stephen Smalley (4):
selinux: genheaders should fail if too many permissions are defined
selinux: Generalize support for NNP/nosuid SELinux domain transitions
selinux: update my email address
lsm_audit: update my email address

CREDITS | 8 ++---
MAINTAINERS | 29 ++++++++++-------
include/linux/lsm_audit.h | 2 +-
scripts/selinux/genheaders/genheaders.c | 7 ++++-
security/lsm_audit.c | 2 +-
security/selinux/avc.c | 16 +++++-----
security/selinux/hooks.c | 56 ++++++++++++++++++++---------
security/selinux/include/avc.h | 2 +-
security/selinux/include/avc_ss.h | 2 +-
security/selinux/include/classmap.h | 2 ++
security/selinux/include/objsec.h | 2 +-
security/selinux/include/security.h | 4 ++-
security/selinux/ss/avtab.c | 2 +-
security/selinux/ss/avtab.h | 2 +-
security/selinux/ss/constraint.h | 2 +-
security/selinux/ss/context.h | 2 +-
security/selinux/ss/ebitmap.c | 2 +-
security/selinux/ss/ebitmap.h | 2 +-
security/selinux/ss/hashtab.c | 2 +-
security/selinux/ss/hashtab.h | 2 +-
security/selinux/ss/mls.c | 2 +-
security/selinux/ss/mls.h | 2 +-
security/selinux/ss/mls_types.h | 2 +-
security/selinux/ss/policydb.c | 2 +-
security/selinux/ss/policydb.h | 2 +-
security/selinux/ss/services.c | 9 ++++--
security/selinux/ss/services.h | 2 +-
security/selinux/ss/sidtab.c | 2 +-
security/selinux/ss/sidtab.h | 2 +-
security/selinux/ss/symtab.c | 2 +-
security/selinux/ss/symtab.h | 2 +-
31 files changed, 106 insertions(+), 71 deletions(-)

--
paul moore
www.paul-moore.com

Linus Torvalds

2017-09-12 20:24:54 UTC

Permalink

Post by Paul Moore
As discussed on the linux-security pull request thread, this is the
direct SELinux pull request; the content/tag is the same as what I

The contents may be the same, but the base is different.

In particular, you based it on the security tree that already had a
few other patches, so now that branch contains not just selinux work,
but also a couple of tomoyo patches that came in that way.

Anyway, I pulled this simply because it was easier to review and
didn't have anything I disliked per se, but if we're going to actually
keep the different securlty layers separate, they need to also have
clean bases for the work in the future.

Anyway, I'm at the airport on my way back home, and hopefully I'll be
back to normal tomorrow after a good night's sleep, and I can take a
look at the rest.

Linus

Paul Moore

2017-09-12 22:00:29 UTC

Permalink

On Tue, Sep 12, 2017 at 4:24 PM, Linus Torvalds

Post by Linus Torvalds

Post by Paul Moore
As discussed on the linux-security pull request thread, this is the
direct SELinux pull request; the content/tag is the same as what I

The contents may be the same, but the base is different.
In particular, you based it on the security tree that already had a
few other patches, so now that branch contains not just selinux work,
but also a couple of tomoyo patches that came in that way.
Anyway, I pulled this simply because it was easier to review and
didn't have anything I disliked per se, but if we're going to actually
keep the different securlty layers separate, they need to also have
clean bases for the work in the future.
Anyway, I'm at the airport on my way back home, and hopefully I'll be
back to normal tomorrow after a good night's sleep, and I can take a
look at the rest.

Oof, sorry about the base mixup; I'll change the SELinux tree base
moving forward so this shouldn't happen again.

--
paul moore
www.paul-moore.com