Bug 1300472
Summary: | 32bit libselinux on 64bit system produces invalid result for is_selinux_enabled() | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | tpacyga | ||||
Component: | libselinux | Assignee: | Petr Lautrbach <plautrba> | ||||
Status: | CLOSED DUPLICATE | QA Contact: | BaseOS QE Security Team <qe-baseos-security> | ||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 6.7 | CC: | lvrabec, mgrepl, mmalik, plautrba, ssekidde | ||||
Target Milestone: | rc | ||||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2016-01-21 07:19:49 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Thank you for the report. This is the kernel issue which will be fixed in the next update. *** This bug has been marked as a duplicate of bug 1158963 *** |
Created attachment 1116738 [details] Proposed patch for libselinux Description of problem: Running the 32bit libselinux library on a 64bit RHEL 6.7 system (don't ask) causes is_selinux_enabled() to return a 0 even when selinux is enabled. After some digging, I noticed that manually building libselinux without any optimization flags set causes everything to work as intended. After further digging, I traced the problem down to the -ftree-vrp flag (part of -O2). I also noticed that with warnings turned on I was getting complaints about a potentially uninitialized variable on line 319 of seusers.c. Moving line 274 up 2 lines fixes the problem (see libselinux.patch attachment). Now it works with all the normal optimization flags (-O2). Version-Release number of selected component (if applicable): RHEL 6.7 x86_64 system running libselinux-2.0.94-5.8 i686 How to reproduce: Just looking at the patch should be clear. In src/seusers.c it is possible to have asprintf at line 272 fail, thus causing the goto err on line 273, at which point fp was never initialized. Moving the fopen on line 274 before line 272 would fix the issue. Now if one would actually want to reproduce the error: 1) Install a 64bit RHEL 6.7 minimal install. 2) Install the 32 bit version of libselinux-2.0.94-5.8 along with the 32 bit version of libselinux-devel-2.0.94-5.8. 3) Write a simple test program that uses is_selinux_enabled(): #include <selinux/selinux.h> #include <stdio.h> int main() { printf("is_selinux_enabled(): %d", is_selinux_enabled()); } 4) Compile for 32bit "gcc test.c -lselinux -m32" 5) If starting up in permissive mode, should return 0 (I have had it return correctly in enforcing mode sometimes), however even in permissive should still return 1 as compared to a standard setup. getenforce will also show disabled even though in permissive mode (even if you do a setenforce 1). 5) Rebuilding the package from source without optimization flags fixes the issue as does applying the patch. May need to specify some env variables to make (make LIBDIR=/usr/lib LDFLAGS=-m32 CFLAGS=-m32). Even if you have trouble reproducing this (I realize it is an uncommon scenario), I think it should be clear enough from the patch that the code is incorrect as is and this should be a simple fix. Thanks, Ted