WARNING in apparmor_secid_to_secctx
Stephen Smalley
sds at tycho.nsa.gov
Fri Aug 31 16:17:49 UTC 2018
On 08/31/2018 12:16 PM, Stephen Smalley wrote:
> On 08/31/2018 12:07 PM, Paul Moore wrote:
>> On Fri, Aug 31, 2018 at 12:01 PM Stephen Smalley <sds at tycho.nsa.gov>
>> wrote:
>>> On 08/29/2018 10:21 PM, Dmitry Vyukov wrote:
>>>> On Wed, Aug 29, 2018 at 7:17 PM, syzbot
>>>> <syzbot+21016130b0580a9de3b5 at syzkaller.appspotmail.com> wrote:
>>>>> Hello,
>>>>>
>>>>> syzbot found the following crash on:
>>>>>
>>>>> HEAD commit: 817e60a7a2bb Merge branch 'nfp-add-NFP5000-support'
>>>>> git tree: net-next
>>>>> console output:
>>>>> https://syzkaller.appspot.com/x/log.txt?x=1536d296400000
>>>>> kernel config:
>>>>> https://syzkaller.appspot.com/x/.config?x=531a917630d2a492
>>>>> dashboard link:
>>>>> https://syzkaller.appspot.com/bug?extid=21016130b0580a9de3b5
>>>>> compiler: gcc (GCC) 8.0.1 20180413 (experimental)
>>>>>
>>>>> Unfortunately, I don't have any reproducer for this crash yet.
>>>>>
>>>>> IMPORTANT: if you fix the bug, please add the following tag to the
>>>>> commit:
>>>>> Reported-by: syzbot+21016130b0580a9de3b5 at syzkaller.appspotmail.com
>>>>
>>>> Hi John, Tyler,
>>>>
>>>> I've switched syzbot from selinux to apparmor as we discussed on lss:
>>>> https://github.com/google/syzkaller/commit/2c6cb254ae6c06f61e3aba21bb89ffb05b5db946
>>>>
>>>
>>> Sorry, does this mean that you are no longer testing selinux via syzbot?
>>> That seems unfortunate. SELinux is default-enabled and used in
>>> Fedora, RHEL and all derivatives (e.g. CentOS), and mandatory in Android
>>> (and seemingly getting some use in ChromeOS now as well, at least for
>>> the Android container and possibly wider), so it seems unwise to drop it
>>> from your testing altogether. I was under the impression that you were
>>> just going to add apparmor to your testing matrix, not drop selinux
>>> altogether.
>>
>> It is also important to note that testing with SELinux enabled but no
>> policy loaded is not going to be very helpful (last we talked that is
>> what syzbot is/was doing). While syzbot did uncover some issues
>> relating to the enabled-no-policy case, those are much less
>> interesting and less relevant than the loaded-policy case.
>
> I had thought that they had switched over to at least loading a policy
> but possibly left it in permissive mode because the base distribution
> didn't properly support SELinux out of the box. But I may be mistaken.
> Regardless, the right solution is to migrate to testing with a policy
> loaded not to stop testing altogether.
>
> Optimally, they'd test on at least one distribution/OS where SELinux is
> in fact supported out of the box, e.g. CentOS, Android, and/or ChromeOS.
Or Fedora, of course.
More information about the Linux-security-module-archive
mailing list