Re: [RFC][PATCH] Enable atomic inode security labeling

From: Stephen Smalley (sds@private)
Date: Tue Jul 05 2005 - 09:05:47 PDT

Previous message: Chris Wright: "Re: [RFC][PATCH] Enable atomic inode security labeling"
In reply to: Stephen Smalley: "[RFC][PATCH] Enable atomic inode security labeling"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

The attached test program demonstrates the lack of atomic inode security
labeling that is solved by the prior patch.  On a dual Xeon running any
unpatched SELinux kernel (e.g. stock Fedora kernel or vanilla
2.6.13-rc1), it quickly hits a false denial due to the lack of atomic
inode security labeling.  On a patched kernel, it does not encounter
such a false denial.  Note that if you are using targeted policy, you
need to first remove access to unlabeled_t from the unconfined_domain
macro in your policy and reload it prior to running the test program to
trigger the false denial from an unconfined shell.

-- 
Stephen Smalley
National Security Agency

text/x-csrc attachment: testprog.c__charset_UTF-8

Previous message: Chris Wright: "Re: [RFC][PATCH] Enable atomic inode security labeling"
In reply to: Stephen Smalley: "[RFC][PATCH] Enable atomic inode security labeling"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Tue Jul 05 2005 - 09:08:18 PDT