Bug#338543: linux-image-2.6.14-1-686: CONFIG_SECURITY_NETWORK is disabled which totally breaks SE/Linux

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#338543: linux-image-2.6.14-1-686: CONFIG_SECURITY_NETWORK is disabled which totally breaks SE/Linux
From: Luke Kenneth Casson Leighton <lkcl@lkcl.net>
Date: Thu, 10 Nov 2005 22:29:10 +0000
Message-id: <E1EaKus-0002ON-4B@lkcl.net>
Reply-to: Luke Kenneth Casson Leighton <lkcl@lkcl.net>, 338543@bugs.debian.org

Package: linux-image-2.6.14-1-686
Severity: normal


On Thu, Nov 10, 2005 at 01:50:24PM -0500, Stephen Smalley wrote:
> On Wed, 2005-11-09 at 08:36 -0500, Stephen Smalley wrote:
> > On Tue, 2005-11-08 at 20:31 +0100, Erich Schubert wrote:
> > > Hi,
> > > > Hmmm...can you supply any more info to help reproduce the bug?
> > > 
> > > I've upgraded a box of mine running a self-compiled 2.6.14-rc3 to
> > > debians 2.6.14 - and the error has appeared on it, too.
> > > So it's not caused by the policy, but either by some .config thing
> > > or a
> > > patch in the debian kernel. I doubt that there has happened
> > > anything
> > > relevant between rc3 and final...
> > > I'm going to build a 2.6.14 from vanilla sources with the .config
> > > of my
> > > installed debian kernel to narrow down.
> > 
> > Thanks.  Could you also send me a copy of that .config file for
> > reference?
> 
> Ok, I've tracked down the cause of this problem in the Debian kernels:
> they are disabling CONFIG_SECURITY_NETWORK, which disables all of the
> LSM socket hooks.  Thus, SELinux never gets a chance to classify the
> socket inodes as socket objects via its selinux_socket_* hook
> functions,
> and SELinux can no longer distinguish them from sock files at
> d_instantiate time because of the removal of the i_sock field in
> 2.6.12
> (which we didn't view as a problem at the time because we had the
> socket
> hooks to address the issue).
> 
> I'd suggest asking the Debian kernel maintainers to entertain the
> notion
> of enabling CONFIG_SECURITY_NETWORK.  If they are being driven by
> performance considerations (and have actual data to show that the mere
> presence of the LSM hooks is having real impact, even with selinux=0),
> then possibly CONFIG_SECURITY_NETWORK could be tightened up to only
> apply to the hooks that are on the critical path (e.g. sock_rcv_skb is
> likely the largest concern).
> 
> -- 
> Stephen Smalley
> National Security Agency
> 
> 


-- System Information:
Debian Release: testing/unstable
Architecture: i386
Kernel: Linux highfield 2.6.12-1-686 #1 Wed Jul 20 22:07:17 UTC 2005 i686
Locale: LANG=C, LC_CTYPE=C

Reply to:

Follow-Ups:
- Bug#338543: marked as done (linux-image-2.6.14-1-686: CONFIG_SECURITY_NETWORK is disabled which totally breaks SE/Linux)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Re: IDE LED support on powerpc
Next by Date: Bug#336392: Acknowledgement (linux-image-2.6.14-1-686: 2.6.14 doesn't boot after dist-upgrade from 2.6.12)
Previous by thread: Bug#336392: Acknowledgement (linux-image-2.6.14-1-686: 2.6.14 doesn't boot after dist-upgrade from 2.6.12)
Next by thread: Bug#338543: marked as done (linux-image-2.6.14-1-686: CONFIG_SECURITY_NETWORK is disabled which totally breaks SE/Linux)
Index(es):
- Date
- Thread