Hi Linus, We've got a number of SELinux patches for v6.5, but nothing too scary. It is worth mentioning that there is a minor merge conflict in security/selinux/Makefile (due to the quick fix sent during the v6.4-rcX cycle); the proper way to resolve the conflict is to simply take the version in this pull request. Here is a quick summary of the changes: - Thanks to help from the MPTCP folks, it looks like we have finally sorted out a proper solution to the MPTCP socket labeling issue, see the new security_mptcp_add_subflow() LSM hook. - Fix the labeled NFS handling such that a labeled NFS share mounted prior to the initial SELinux policy load is properly labeled once a policy is loaded; more information in the commit description. - Two patches to security/selinux/Makefile, the first took the cleanups in v6.4 a bit further and the second removed the grouped targets support as that functionality doesn't appear to be properly supported prior to make v4.3. - Deprecate the "fs" object context type in SELinux policies. The fs object context type was an old vestige that was introduced back in v2.6.12-rc2 but never really used. - A number of small changes that remove dead code, clean up some awkward bits, and generally improve the quality of the code. See the individual commit descriptions for more information. Thanks, -Paul -- The following changes since commit ac9a78681b921877518763ba0e89202254349d1b: Linux 6.4-rc1 (2023-05-07 13:34:35 -0700) are available in the Git repository at: https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git tags/selinux-pr-20230626 for you to fetch changes up to 447a5688005e5b789633bd080016517a08f9fd8d: selinux: avoid bool as identifier name (2023-06-05 17:04:01 -0400) ---------------------------------------------------------------- selinux/stable-6.5 PR 20230626 ---------------------------------------------------------------- Christian Göttsche (10): selinux: do not leave dangling pointer behind selinux: adjust typos in comments selinux: avc: drop unused function avc_disable() selinux: drop return at end of void function avc_insert() selinux: retain const qualifier on string literal in avtab_hash_eval() selinux: declare read-only data arrays const selinux: keep context struct members in sync selinux: make header files self-including selinux: deprecated fs ocon selinux: avoid bool as identifier name Ondrej Mosnacek (1): selinux: make labeled NFS work when mounted before policy load Paolo Abeni (2): security, lsm: Introduce security_mptcp_add_subflow() selinux: Implement mptcp_add_subflow hook Paul Moore (3): selinux: more Makefile tweaks selinux: small cleanups in selinux_audit_rule_init() selinux: fix Makefile for versions of make < v4.3 Xiu Jianfeng (1): selinux: cleanup exit_sel_fs() declaration include/linux/lsm_hook_defs.h | 1 + include/linux/security.h | 6 ++ net/mptcp/subflow.c | 6 ++ security/security.c | 17 ++++++ security/selinux/Makefile | 28 ++++++--- security/selinux/avc.c | 20 ------ security/selinux/hooks.c | 78 +++++++++++++++----- security/selinux/ima.c | 2 +- security/selinux/include/audit.h | 2 +- security/selinux/include/avc.h | 3 - security/selinux/include/ibpkey.h | 1 + security/selinux/include/ima.h | 2 +- security/selinux/include/initial_sid_to_string.h | 3 + security/selinux/include/security.h | 2 +- security/selinux/netlabel.c | 8 ++- security/selinux/selinuxfs.c | 4 +- security/selinux/ss/avtab.c | 2 +- security/selinux/ss/avtab.h | 2 +- security/selinux/ss/conditional.c | 8 +-- security/selinux/ss/conditional.h | 2 +- security/selinux/ss/context.h | 2 + security/selinux/ss/policydb.c | 6 +- security/selinux/ss/policydb.h | 2 +- security/selinux/ss/services.c | 40 ++++++------ 24 files changed, 158 insertions(+), 89 deletions(-) -- paul-moore.com
