[PATCH][SELINUX] Re-open descriptors closed on exec by SELinux to /dev/null

[PATCH][SELINUX] Re-open descriptors closed on exec by SELinux to /dev/null

Post by Stephen Sm » Wed, 05 May 2004 21:20:15



Not that I know of. Perhaps Al has a suggestion?

--
Stephen Smalley < XXXX@XXXXX.COM >
National Security Agency

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to XXXX@XXXXX.COM
More majordomo info at http://www.yqcomputer.com/
Please read the FAQ at http://www.yqcomputer.com/
 
 
 

1. [PATCH 2/2] RFC: selinux: sysctl: fix selinux labeling broken by last patch

2. [PATCH 2/2] RFC: selinux: sysctl: fix selinux labeling broken by last patch


It would be better to include the patch inline for review. In any
event, a few observations on your patch:
- We don't want to replace " *** uous" knowledge of proc with
" *** ous" knowledge of the dcache. So rather than encoding knowledge
of the magical "//deleted" suffix into selinux, use an interface to the
dcache (or add one if none exists) that does not append that suffix at
all. I think apparmor did something similar to deal with the (deleted)
suffix for d_path.

- You don't need special handling of /proc/PID entries. Those are
labeled via the security_task_to_inode -> selinux_task_to_inode hook,
called from proc_pid_make_inode and the _revalidate functions.

- Don't remove the IS_PRIVATE() test from inode_has_perm(), as other
inodes beyond just the /proc/sys ones are marked with that flag
(original usage was for reiserfs xattr inodes).

--
Stephen Smalley
National Security Agency

To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to XXXX@XXXXX.COM
More majordomo info at http://www.yqcomputer.com/
Please read the FAQ at http://www.yqcomputer.com/

3. [PATCH 4/5] selinux: Enhance selinux to always ignore private inodes.

4. [PATCH][SELINUX] Add runtime disable for SELinux

5. [PATCH 2/3] SELINUX: Make selinux cache VFS RCU walks safe

6. [PATCH] selinux: Improving SELinux read/write performance

7. [PATCH 6/6] SELinux: kills warnings in Improve SELinux performance when AVC misses

8. [PATCH 4/5] selinux: Enhance selinux to always ignore private inodes.

9. [PATCH] (3/3) SELinux context mount support - SELinux changes.

10. [SELINUX][PATCH 1/4] Fine-grained Netlink support - SELinux headers update

11. [PATCH]SELinux performance improvement by RCU ( RCU issue with SELinux)

12. [PATCH 03/12] SELinux: extract the NetLabel SELinux support from the security server

13. [PATCH] SELinux: BUG in SELinux compat_net code

14. [PATCH][SELinux] Let us not leak memory in SELinux : security_netlbl_cache_add()

15. [PATCH][SELINUX] Add DAC check for setxattr(security.selinux)