GIT 19d3f4fc09b307a62c5703ac01a8226a79aeebca git+ssh://master.kernel.org/pub/scm/linux/kernel/git/jmorris/selinux-2.6.git#for-akpm commit ee9f2900c7575fd83ee64ece34d40c91e569a995 Author: Stephen Smalley Date: Thu Apr 19 14:16:19 2007 -0400 selinux: preserve boolean values across policy reloads At present, the userland policy loading code has to go through contortions to preserve boolean values across policy reloads, and cannot do so atomically. As this is what we always want to do for reloads, let the kernel preserve them instead. Signed-off-by: Stephen Smalley Acked-by: Karl MacMillan Signed-off-by: James Morris commit ce203bcc43b1771d19ed7495a5c4fc0bb715fbdd Author: James Carter Date: Wed Apr 4 16:18:50 2007 -0400 selinux: change numbering of boolean directory inodes in selinuxfs Change the numbering of the booleans directory inodes in selinuxfs to provide more room for new inodes without a conflict in inode numbers and to be consistent with how inode numbering is done in the initial_contexts directory. Signed-off-by: James Carter Acked-by: Eric Paris Acked-by: Stephen Smalley Signed-off-by: James Morris commit a935255c4675ee55dccf5207bb2099b2584b68fd Author: James Carter Date: Wed Apr 4 16:18:43 2007 -0400 selinux: remove unused enumeration constant from selinuxfs Remove the unused enumeration constant, SEL_AVC, from the sel_inos enumeration in selinuxfs. Signed-off-by: James Carter Acked-by: Eric Paris Acked-by: Stephen Smalley Signed-off-by: James Morris commit 15bb6b7c3944a5c0cf3827c46135d970da05350f Author: James Carter Date: Wed Apr 4 16:18:39 2007 -0400 selinux: explicitly number all selinuxfs inodes Explicitly number all selinuxfs inodes to prevent a conflict between inodes numbered using last_ino when created with new_inode() and those labeled explicitly. Signed-off-by: James Carter Acked-by: Eric Paris Acked-by: Stephen Smalley Signed-off-by: James Morris commit 9545dc3d0e1a7fb8f3c0e699e186a90a5c07662b Author: James Carter Date: Wed Apr 4 10:11:29 2007 -0400 selinux: export initial SID contexts via selinuxfs Make the initial SID contexts accessible to userspace via selinuxfs. An initial use of this support will be to make the unlabeled context available to libselinux for use for invalidated userspace SIDs. Signed-off-by: James Carter Acked-by: Stephen Smalley Signed-off-by: James Morris commit b740419aeaf1f5f32acff94f51eeb27a05b3a7d9 Author: Stephen Smalley Date: Mon Mar 26 13:36:26 2007 -0400 selinux: remove userland security class and permission definitions Remove userland security class and permission definitions from the kernel as the kernel only needs to use and validate its own class and permission definitions and userland definitions may change. Signed-off-by: Stephen Smalley Signed-off-by: James Morris commit afe24e79a3c61de2e2ad016211372f18f7bdebc3 Author: Paul Moore Date: Thu Mar 1 14:35:22 2007 -0500 SELinux: move security_skb_extlbl_sid() out of the security server As suggested, move the security_skb_extlbl_sid() function out of the security server and into the SELinux hooks file. Signed-off-by: Paul Moore Acked-by: Stephen Smalley Signed-off-by: James Morris commit 183d1d821aca04e0698db5345dcd1d1cd8d853f9 Author: Stephen Smalley Date: Fri Feb 23 09:20:09 2007 -0500 MAINTAINERS: update selinux entry Add Eric Paris as an SELinux maintainer. Signed-off-by: James Morris commit 612af53b56a304b0ac87a14dd1d9fe743163472b Author: Paul Moore Date: Wed Feb 28 15:14:23 2007 -0500 SELinux: rename selinux_netlabel.h to netlabel.h In the beginning I named the file selinux_netlabel.h to avoid potential namespace colisions. However, over time I have realized that there are several other similar cases of multiple header files with the same name so I'm changing the name to something which better fits with existing naming conventions. Signed-off-by: Paul Moore Signed-off-by: James Morris commit 8d8f7c1045081efa51d8135a6bd1516355e10916 Author: Paul Moore Date: Wed Feb 28 15:14:22 2007 -0500 SELinux: extract the NetLabel SELinux support from the security server Up until this patch the functions which have provided NetLabel support to SELinux have been integrated into the SELinux security server, which for various reasons is not really ideal. This patch makes an effort to extract as much of the NetLabel support from the security server as possibile and move it into it's own file within the SELinux directory structure. Signed-off-by: Paul Moore Signed-off-by: James Morris commit bb64df2da05eceb62acd32fdc13c23a7006c3d85 Author: Paul Moore Date: Wed Feb 28 15:14:21 2007 -0500 NetLabel: convert a BUG_ON in the CIPSO code to a runtime check This patch changes a BUG_ON in the CIPSO code to a runtime check. It should also increase the readability of the code as it replaces an unexplained constant with a well defined macro. Signed-off-by: Paul Moore Signed-off-by: James Morris commit b6b432b3fdddfae3c9908f6bd10f1d256d9e1087 Author: Paul Moore Date: Wed Feb 28 15:14:20 2007 -0500 NetLabel: cleanup and document CIPSO constants This patch collects all of the CIPSO constants and puts them in one place; it also documents each value explaining how the value is derived. Signed-off-by: Paul Moore Signed-off-by: James Morris commit a1e2554b5d6bf11a526dfd78d98715fcb8e4d932 Author: Stephen Smalley Date: Mon Feb 26 12:02:34 2007 -0500 Always initialize scontext and scontext_len Always initialize *scontext and *scontext_len in security_sid_to_context. (via http://lkml.org/lkml/2007/2/23/135) Signed-off-by: Stephen Smalley Signed-off-by: James Morris commit 3355090cadc83ffd885c11c075d78c223ad04d30 Author: Eric Paris Date: Thu Feb 22 18:11:31 2007 -0500 Reassign printk levels in selinux kernel code Below is a patch which demotes many printk lines to KERN_DEBUG from KERN_INFO. It should help stop the spamming of logs with messages in which users are not interested nor is there any action that users should take. It also promotes some KERN_INFO to KERN_ERR such as when there are improper attempts to register/unregister security modules. A similar patch was discussed a while back on list: http://marc.theaimsgroup.com/?t=116656343500003&r=1&w=2 This patch addresses almost all of the issues raised. I believe the only advice not taken was in the demoting of messages related to undefined permissions and classes. Signed-off-by: Eric Paris Acked-by: Stephen Smalley security/selinux/hooks.c | 20 ++++++++++---------- security/selinux/ss/avtab.c | 2 +- security/selinux/ss/policydb.c | 6 +++--- security/selinux/ss/sidtab.c | 2 +- 4 files changed, 15 insertions(+), 15 deletions(-) Signed-off-by: James Morris commit 9fa641b08233f144fed7cd577bd8b41a706bc621 Author: Venkat Yekkirala Date: Tue Dec 12 13:02:41 2006 -0600 selinux: Delete mls_copy_context This deletes mls_copy_context() in favor of mls_context_cpy() and replaces mls_scopy_context() with mls_context_cpy_low(). Signed-off-by: Venkat Yekkirala Acked-by: Stephen Smalley Signed-off-by: James Morris commit 6dc6dca8bd34b1c8e4506f510adc78f40f0bc454 Author: Joy Latten Date: Thu Nov 30 15:50:43 2006 -0600 audit: disable ipsec auditing when CONFIG_AUDITSYSCALL=n Disables auditing in ipsec when CONFIG_AUDITSYSCALL is disabled in the kernel. Also includes a bug fix for xfrm_state.c as a result of original ipsec audit patch. Signed-off-by: Joy Latten Signed-off-by: James Morris commit faafdc1dc743b7e8215e02219109f9e346430619 Author: Joy Latten Date: Mon Nov 27 13:11:54 2006 -0600 Add auditing to ipsec An audit message occurs when an ipsec SA or ipsec policy is created/deleted. Signed-off-by: Joy Latten Signed-off-by: James Morris security/selinux/selinuxfs.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c index aca099a..98af83f 100644 --- a/security/selinux/selinuxfs.c +++ b/security/selinux/selinuxfs.c @@ -1245,7 +1245,7 @@ out: return ret; } -static ssize_t sel_read_initcon(struct file * file, char __user *buf, +static ssize_t sel_read_initcon(struct file * file, char __user *buf, size_t count, loff_t *ppos) { struct inode *inode;