On 10/31/2017 2:23 PM, Jason Gunthorpe wrote: > On Tue, Oct 31, 2017 at 12:22 PM, Daniel Jurgens <danielj@xxxxxxxxxxxx> wrote: > >> Sounds like the crash is resolved and now you're getting a denial >> from a security module. I looked in the code, it looks like > If Chris was hitting that crash it means his security module failed the > mad action, as that is the only way to trigger it. > >> AppArmor doesn't register any callbacks for the ib_* security hooks, >> and if no hook is registered it should return 0. Can you tell me >> more about your setup so I can create a reproducer? What OS are you >> using? Can you double check that SELinux isn't enabled (see output >> of sestatus). > Which suggests to me that apparmour is not working properly with the > rdma selinux patches?? It seems that way. I can't explain it looking at the code, I'm trying to reproduce it for debug. A point of clarification, the RDMA "SELinux" patches aren't SELinux specific. They interact with the LSM, a layer of abstraction between the security modules and the rest of the kernel. Zero or more security modules like SELinux or AppArmor can implement the security hooks. The default return value for the hook in question is 0 if no modules implement it. It doesn't look like AppArmor implements it. > Jason > -- To unsubscribe from this list: send the line "unsubscribe linux-rdma" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
