Hosts the 0x221E linux distro kernel. https://universe.0xinfinity.dev/distro/kernel/atom?h=linux-6.19.y 2025-10-22T23:24:28Z 2025-10-22T23:24:28Z Paul Moore paul@paul-moore.com 2025-02-18T22:50:39Z urn:sha1:3156bc814f21a976b25c1b4981dcb0f558302b27 SELinux currently has a number of initcalls so we've created a new function, selinux_initcall(), which wraps all of these initcalls so that we have a single initcall function that can be registered with the LSM framework. Signed-off-by: Paul Moore <paul@paul-moore.com> 2024-12-11T18:42:35Z Thomas Weißschuh thomas.weissschuh@linutronix.de 2024-11-27T10:09:22Z urn:sha1:b01c939d5854bbf1acf6109ba7a0f74993a22b19 av_permissions.h was not declared as a target and therefore not cleaned up automatically by kbuild. Suggested-by: Masahiro Yamada <masahiroy@kernel.org> Link: https://lore.kernel.org/lkml/CAK7LNATUnCPt03BRFSKh1EH=+Sy0Q48wE4ER0BZdJqOb_44L8w@mail.gmail.com/ Signed-off-by: Thomas Weißschuh <thomas.weissschuh@linutronix.de> Reviewed-by: Masahiro Yamada <masahiroy@kernel.org> Signed-off-by: Paul Moore <paul@paul-moore.com> 2024-10-03T20:07:51Z Masahiro Yamada masahiroy@kernel.org 2024-09-06T17:29:14Z urn:sha1:3b70b66e03b54428d45c3fe9b8693cffcde45bf6 This tool is only used in security/selinux/Makefile. Move it to security/selinux/ so that 'make clean' can clean it up. Please note 'make clean' does not clean scripts/ because tools under scripts/ are often used for external module builds. Obviously, genheaders is not the case here. Signed-off-by: Masahiro Yamada <masahiroy@kernel.org> Signed-off-by: Paul Moore <paul@paul-moore.com> 2023-09-13T17:46:57Z Christian Göttsche cgzones@googlemail.com 2023-08-18T15:12:14Z urn:sha1:6f594f5a3dc4917be1556e524673420197ca471d If the SELinux debug configuration is enabled define the macro DEBUG such that pr_debug() calls are always enabled, regardless of CONFIG_DYNAMIC_DEBUG, since those message are the main reason for this configuration in the first place. Mention example usage in case CONFIG_DYNAMIC_DEBUG is enabled in the help section of the configuration. Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Reviewed-by: Stephen Smalley <stephen.smalley.work@gmail.com> Signed-off-by: Paul Moore <paul@paul-moore.com> 2023-06-02T19:34:29Z Paul Moore paul@paul-moore.com 2023-06-01T21:04:02Z urn:sha1:ec4a491d180b076191e72ef88c240caead1b20fc As noted in the comments of this commit, the current SELinux Makefile requires features found in make v4.3 or later, which is problematic as the Linux Kernel currently only requires make v3.82. This patch fixes the SELinux Makefile so that it works properly on these older versions of make, and adds a couple of comments to the Makefile about how it can be improved once make v4.3 is required by the kernel. Fixes: 6f933aa7dfd0 ("selinux: more Makefile tweaks") Signed-off-by: Paul Moore <paul@paul-moore.com> 2023-05-08T20:26:48Z Paul Moore paul@paul-moore.com 2023-05-05T22:48:35Z urn:sha1:6f933aa7dfd0bb84b7935168f1d45abec4f702c1 A few small tweaks to improve the SELinux Makefile: - Define a new variable, 'genhdrs', to represent both flask.h and av_permissions.h; this should help ensure consistent processing for both generated headers. - Move the 'ccflags-y' variable closer to the top, just after the main 'obj-$(CONFIG_SECURITY_SELINUX)' definition to make it more visible and improve the grouping in the Makefile. - Rework some of the vertical whitespace to improve some of the grouping in the Makefile. Reviewed-by: Ondrej Mosnacek <omosnace@redhat.com> Signed-off-by: Paul Moore <paul@paul-moore.com> 2023-04-12T23:46:35Z Paul Moore paul@paul-moore.com 2023-04-12T17:29:11Z urn:sha1:4ce1f694eb5d8ca607fed8542d32a33b4f1217a5 The Makefile rule responsible for building flask.h and av_permissions.h only lists flask.h as a target which means that av_permissions.h is only generated when flask.h needs to be generated. This patch fixes this by adding av_permissions.h as a target to the rule. Fixes: 8753f6bec352 ("selinux: generate flask headers during kernel build") Signed-off-by: Paul Moore <paul@paul-moore.com> 2023-04-12T17:34:20Z Ondrej Mosnacek omosnace@redhat.com 2023-04-12T13:59:19Z urn:sha1:bcab1adeaad4b39a1e04cb98979a367d08253f03 Make the flask.h target depend on the genheaders binary instead of classmap.h to ensure that it is rebuilt if any of the dependencies of genheaders are changed. Notably this fixes flask.h not being rebuilt when initial_sid_to_string.h is modified. Fixes: 8753f6bec352 ("selinux: generate flask headers during kernel build") Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com> Signed-off-by: Paul Moore <paul@paul-moore.com> 2021-01-15T04:41:46Z Lakshmi Ramasubramanian nramas@linux.microsoft.com 2021-01-14T19:15:22Z urn:sha1:fdd1ffe8a812b1109388e4bc389e57b2695ad095 SELinux stores the active policy in memory, so the changes to this data at runtime would have an impact on the security guarantees provided by SELinux. Measuring in-memory SELinux policy through IMA subsystem provides a secure way for the attestation service to remotely validate the policy contents at runtime. Measure the hash of the loaded policy by calling the IMA hook ima_measure_critical_data(). Since the size of the loaded policy can be large (several MB), measure the hash of the policy instead of the entire policy to avoid bloating the IMA log entry. To enable SELinux data measurement, the following steps are required: 1, Add "ima_policy=critical_data" to the kernel command line arguments to enable measuring SELinux data at boot time. For example, BOOT_IMAGE=/boot/vmlinuz-5.10.0-rc1+ root=UUID=fd643309-a5d2-4ed3-b10d-3c579a5fab2f ro nomodeset security=selinux ima_policy=critical_data 2, Add the following rule to /etc/ima/ima-policy measure func=CRITICAL_DATA label=selinux Sample measurement of the hash of SELinux policy: To verify the measured data with the current SELinux policy run the following commands and verify the output hash values match. sha256sum /sys/fs/selinux/policy | cut -d' ' -f 1 grep "selinux-policy-hash" /sys/kernel/security/integrity/ima/ascii_runtime_measurements | tail -1 | cut -d' ' -f 6 Note that the actual verification of SELinux policy would require loading the expected policy into an identical kernel on a pristine/known-safe system and run the sha256sum /sys/kernel/selinux/policy there to get the expected hash. Signed-off-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com> Suggested-by: Stephen Smalley <stephen.smalley.work@gmail.com> Acked-by: Paul Moore <paul@paul-moore.com> Reviewed-by: Tyler Hicks <tyhicks@linux.microsoft.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> 2020-04-17T20:04:34Z Ondrej Mosnacek omosnace@redhat.com 2020-04-17T08:11:56Z urn:sha1:50077289804c9bd4e6cfd5b3a10d4da0487f7e42 Always hashing the string representation is inefficient. Just hash the contents of the structure directly (using jhash). If the context is invalid (str & len are set), then hash the string as before, otherwise hash the structured data. Since the context hashing function is now faster (about 10 times), this patch decreases the overhead of security_transition_sid(), which is called from many hooks. The jhash function seemed as a good choice, since it is used as the default hashing algorithm in rhashtable. Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> Reviewed-by: Jeff Vander Stoep <jeffv@google.com> Tested-by: Jeff Vander Stoep <jeffv@google.com> [PM: fixed some spelling errors in the comments pointed out by JVS] Signed-off-by: Paul Moore <paul@paul-moore.com>