On Fri, Jun 7, 2024 at 8:50 PM Casey Schaufler [off-list ref] wrote:

On 6/7/2024 9:07 AM, Ondrej Mosnacek wrote:

quoted

This series aims to improve cipso_v4_skbuff_delattr() to fully
remove the CIPSO options instead of just clearing them with NOPs.
That is implemented in the second patch, while the first patch is
a bugfix for cipso_v4_delopt() that the second patch depends on.

Tested using selinux-testsuite a TMT/Beakerlib test from this PR:
https://src.fedoraproject.org/tests/selinux/pull-request/488

Smack also uses CIPSO. The Smack testsuite is:
https://github.com/smack-team/smack-testsuite.git

I tried to run it now, but 6 out of 114 tests fail for me already on
the baseline kernel (I tried with the v6.9 tag from mainline). The
output is not very verbose, so I'm not sure what is actually failing
and if it's caused by something on my side... With my patches applied,
the number of failed tests was the same, though, so there is no
evidence of a regression, at least.

-- 
Ondrej Mosnacek
Senior Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.