Bug#338543: linux-image-2.6.14-1-686: CONFIG_SECURITY_NETWORK is disabled which totally breaks SE/Linux
On Thu, Nov 10, 2005 at 01:50:24PM -0500, Stephen Smalley wrote:
> On Wed, 2005-11-09 at 08:36 -0500, Stephen Smalley wrote:
> > On Tue, 2005-11-08 at 20:31 +0100, Erich Schubert wrote:
> > > Hi,
> > > > Hmmm...can you supply any more info to help reproduce the bug?
> > >
> > > I've upgraded a box of mine running a self-compiled 2.6.14-rc3 to
> > > debians 2.6.14 - and the error has appeared on it, too.
> > > So it's not caused by the policy, but either by some .config thing
> > > or a
> > > patch in the debian kernel. I doubt that there has happened
> > > anything
> > > relevant between rc3 and final...
> > > I'm going to build a 2.6.14 from vanilla sources with the .config
> > > of my
> > > installed debian kernel to narrow down.
> > Thanks. Could you also send me a copy of that .config file for
> > reference?
> Ok, I've tracked down the cause of this problem in the Debian kernels:
> they are disabling CONFIG_SECURITY_NETWORK, which disables all of the
> LSM socket hooks. Thus, SELinux never gets a chance to classify the
> socket inodes as socket objects via its selinux_socket_* hook
> and SELinux can no longer distinguish them from sock files at
> d_instantiate time because of the removal of the i_sock field in
> (which we didn't view as a problem at the time because we had the
> hooks to address the issue).
> I'd suggest asking the Debian kernel maintainers to entertain the
> of enabling CONFIG_SECURITY_NETWORK. If they are being driven by
> performance considerations (and have actual data to show that the mere
> presence of the LSM hooks is having real impact, even with selinux=0),
> then possibly CONFIG_SECURITY_NETWORK could be tightened up to only
> apply to the hooks that are on the critical path (e.g. sock_rcv_skb is
> likely the largest concern).
> Stephen Smalley
> National Security Agency
-- System Information:
Debian Release: testing/unstable
Kernel: Linux highfield 2.6.12-1-686 #1 Wed Jul 20 22:07:17 UTC 2005 i686
Locale: LANG=C, LC_CTYPE=C