On Tuesday, July 29, 2014 08:41:09 PM Milan Broz wrote: > Th AF_ALG socket was missing a security label (e.g. SELinux) > which means that socket was in "unlabeled" state. > > This was recently demonstrated in the cryptsetup package > (cryptsetup v1.6.5 and later.) > See https://bugzilla.redhat.com/show_bug.cgi?id=1115120 > > This patch clones the sock's label from the parent sock > and resolves the issue (similar to AF_BLUETOOTH protocol family). > > Cc: stable@xxxxxxxxxxxxxxx > Signed-off-by: Milan Broz <gmazyland@xxxxxxxxx> > --- > crypto/af_alg.c | 2 ++ > 1 file changed, 2 insertions(+) Thanks Milan, this patch looks good to me. Crypto folks, assuming no objections, could you try to push this patch this week so it hits 3.16 proper (assuming no more -rc releases)? Without this patch the latest versions of cryptsetup could fail on a SELinux system leaving the system unable to boot with SELinux in enforcing mode. Acked-by: Paul Moore <paul@xxxxxxxxxxxxxx> > diff --git a/crypto/af_alg.c b/crypto/af_alg.c > index 966f893..6a3ad80 100644 > --- a/crypto/af_alg.c > +++ b/crypto/af_alg.c > @@ -21,6 +21,7 @@ > #include <linux/module.h> > #include <linux/net.h> > #include <linux/rwsem.h> > +#include <linux/security.h> > > struct alg_type_list { > const struct af_alg_type *type; > @@ -243,6 +244,7 @@ int af_alg_accept(struct sock *sk, struct socket > *newsock) > > sock_init_data(newsock, sk2); > sock_graft(sk2, newsock); > + security_sk_clone(sk, sk2); > > err = type->accept(ask->private, sk2); > if (err) { -- paul moore www.paul-moore.com -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
