Bug 161834
| Summary: | kernel panic after updating to 1.17.30-3.13 | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Darren Brierton <darren> | ||||
| Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> | ||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | |||||
| Severity: | high | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | 3 | CC: | jacob54us, j, nathan-redhatbugzilla, rchiodin, sdsmall, tim.fenn, walt | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | i686 | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | 1.17.30-3.16 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2005-08-19 09:45:45 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
I'm currently running kernel-2.6.11-1.27_FC3. rpm -q -f /lib/tls/libc-2.3.5.so What is it? A compatibility library? Why does it require text relocations? execmod and execmem need to be allowed universally on FC3 until it is updated to 2.6.12, as ppc32 systems will otherwise fail due to RWE segments and even x86 systems will have problems with legacy binaries. Un-aliasing lib_t, shlib_t, and texrel_shlib_t in a policy update is unsafe; the kernel has already internally folded them together into a single type on any incore inodes. (In reply to comment #2) > rpm -q -f /lib/tls/libc-2.3.5.so > What is it? $ rpm -qf /lib/tls/libc-2.3.5.so glibc-2.3.5-0.fc3.1 $ rpm -qf /lib/tls/libc.so.6 glibc-2.3.5-0.fc3.1 Created attachment 116038 [details]
avc denied messags from /var/log/messages for selinux-policy-targeted-1.17.30-3.13
The log messages start approximately 1 hour after the yum update service
installed the new selinux policy on my system. They continue until my attempts
to shut down the machine failed due to the new policy. I've since reverted to
the previous version and all issues have resolved. I believe this to be a bug
with the new policy files.
From /var/log/yum.log:
Jun 27 04:25:18 Updated: selinux-policy-targeted.noarch 1.17.30-3.13
Jun 27 04:26:21 Updated: selinux-policy-targeted-sources.noarch 1.17.30-3.13
------------------------------------------------
Since then things have come tumbling down here are samples of the errors:
Jun 27 04:25:27 Romeo kernel: audit(1119860727.362:0): avc: denied { execmod }
for pid=6990 comm=sendmail path=/lib/tls/libm-2.3.5.so dev=dm-0 ino=5455897
scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:lib_t tclass=file
Jun 27 04:30:01 Romeo kernel: audit(1119861001.392:0): avc: denied { execmod }
for pid=6994 comm=crond path=/lib/libnsl-2.3.5.so dev=dm-0 ino=5455874
scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:lib_t tclass=file
Jun 27 04:30:01 Romeo kernel: audit(1119861001.413:0): avc: denied { execmod }
for pid=6994 comm=crondpath=/lib/libcrypt-2.3.5.sodev=dm-0ino=5455909
scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:lib_t tclass=file
Jun 27 04:53:38 Romeo kernel: audit(1119862418.204:0): avc: denied { execmem }
for pid=4238 comm=mysqld scontext=user_u:system_r:mysqld_t
tcontext=user_u:system_r:mysqld_t tclass=process
Jun 27 08:22:09 Romeo kernel: audit(1119874929.566:0): avc: denied { connect }
for pid=4251 exe=/usr/sbin/httpd scontext=user_u:system_r:httpd_t
tcontext=user_u:system_r:httpd_t tclass=tcp_socket
-------------------------------------------------------------
The most noticeable result of all this is that mysql has died:
050627 07:19:27 mysqld started
050627 7:19:28 [Warning] Asked for 196608 thread stack, but got 126976
050627 7:19:28 [ERROR] Fatal error: Can't change to run as user 'mysql' ;
Please check that the user exists!
( I still have not been able to figure out where the mysql user dissappeared to )
I have since reverted to the previous release and everythign is abck to normal.
If anyone is willing to reproduce, please do the following: - Put the machine into permissive mode first (boot the kernel with enforcing=0 or run setenforce 0 prior to the next step), - Enable syscall auditing first (boot the kernel with audit=1 or run auditctl -e 1 prior to the next step), - Clear /var/log/messages, - Update to the broken policy, - Collect some audit data in /var/log/messages, - Try running one of programs that was failing under strace and collect that output, - Revert to a working policy, - Reboot. The main issue that concerns me is why execmod checks are being triggered here, as they should only occur on attempts to make executable a modified private file mapping, typically only for text relocations, and thus they should not be pervasive even given the brokenness of that particular policy. Per bz 161867, the problem only manifested on systems running kernel 2.6.11-1.27_FC3, not on systems running kernel 2.6.11-1.35_FC3. AFAIK, SELinux kernel code did not change between these kernels; FC3 kernel carries no SELinux-related patches and the baseline didn't include any. Side effect of another kernel patch, e.g. exec-shield? (In reply to comment #6) > If anyone is willing to reproduce, please do the following: I added audit=1 to the kernel boot line and set /etc/selinux/config to permissive. I'm running kernel 2.6.11-1.35_FC3. Last night, I updated to SELinux policy selinux-policy-targeted.noarch 0:1.17.30-3.15. Prior to that, I had the kernel panic mentioned once, and was unable to run OpenOffice 1.9x or 1.1 unless I entered setenforce 0. After following your instructions, I got the following (edited from /var/log/messages Jun 30 18:56:37 Lenny kernel: SELinux: Initializing. Jun 30 18:56:37 Lenny kernel: SELinux: Starting in permissive mode . . . Jun 30 18:56:37 Lenny kernel: selinux_register_security: Registering secondary module capability Jun 30 18:56:37 Lenny kernel: SELinux: Registering netfilter hooks . . . Jun 30 18:56:38 Lenny kernel: security: 3 users, 4 roles, 343 types, 30 bools Jun 30 18:56:38 Lenny kernel: security: 55 classes, 14891 rules Jun 30 18:56:38 Lenny kernel: SELinux: Completing initialization. Jun 30 18:56:38 Lenny kernel: SELinux: Setting up existing superblocks. Jun 30 18:56:38 Lenny kernel: SELinux: initialized (dev hda2, type ext3), uses xattr Jun 30 18:56:38 Lenny kernel: SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs Jun 30 18:56:38 Lenny kernel: SELinux: initialized (dev selinuxfs, type selinuxfs), uses genfs_contexts Jun 30 18:56:38 Lenny kernel: SELinux: initialized (dev mqueue, type mqueue), not configured for labeling Jun 30 18:56:38 Lenny kernel: SELinux: initialized (dev hugetlbfs, type hugetlbfs), not configured for labeling Jun 30 18:56:38 Lenny kernel: SELinux: initialized (dev devpts, type devpts), uses transition SIDs Jun 30 18:56:38 Lenny kernel: SELinux: initialized (dev eventpollfs, type eventpollfs), uses genfs_contexts Jun 30 18:56:38 Lenny kernel: SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs Jun 30 18:56:38 Lenny kernel: SELinux: initialized (dev futexfs, type futexfs), uses genfs_contexts Jun 30 18:56:38 Lenny kernel: SELinux: initialized (dev pipefs, type pipefs), uses task SIDs Jun 30 18:56:38 Lenny kernel: SELinux: initialized (dev sockfs, type sockfs), uses task SIDs Jun 30 18:56:38 Lenny kernel: SELinux: initialized (dev proc, type proc), uses genfs_contexts Jun 30 18:56:38 Lenny kernel: SELinux: initialized (dev bdev, type bdev), uses genfs_contexts Jun 30 18:56:38 Lenny netfs: Mounting other filesystems: succeeded Jun 30 18:56:38 Lenny kernel: SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts Jun 30 18:56:38 Lenny kernel: SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts Jun 30 18:56:38 Lenny kernel: SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts . . . Jun 30 18:56:38 Lenny kernel: SELinux: initialized (dev hda1, type ext3), uses xattr Jun 30 18:56:38 Lenny kernel: kjournald starting. Commit interval 5 seconds Jun 30 18:56:38 Lenny kernel: EXT3 FS on hdb1, internal journal Jun 30 18:56:38 Lenny kernel: EXT3-fs: mounted filesystem with ordered data mode. Jun 30 18:56:38 Lenny kernel: SELinux: initialized (dev hdb1, type ext3), uses xattr Jun 30 18:56:38 Lenny kernel: SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs Jun 30 18:56:38 Lenny kernel: Adding 779144k swap on /dev/hda3. Priority:-1 extents:1 Jun 30 18:56:38 Lenny kernel: SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses genfs_contexts Jun 30 18:56:38 Lenny kernel: parport0: PC-style at 0x378 (0x778) [PCSPP,TRISTATE] Jun 30 18:56:38 Lenny kernel: parport0: irq 7 detected Jun 30 18:56:38 Lenny kernel: parport0: Printer, EPSON Stylus C84 Jun 30 18:56:38 Lenny kernel: Device not ready. Make sure there is a disc in the drive. Jun 30 18:56:38 Lenny kernel: Device not ready. Make sure there is a disc in the drive. Jun 30 18:56:38 Lenny autofs: automount startup succeeded Jun 30 18:56:38 Lenny kernel: Device not ready. Make sure there is a disc in the drive. Jun 30 18:56:38 Lenny last message repeated 5 times Jun 30 18:56:38 Lenny kernel: ip_tables: (C) 2000-2002 Netfilter core team Jun 30 18:56:38 Lenny kernel: ip_conntrack version 2.1 (2560 buckets, 20480 max) - 272 bytes per conntrack Jun 30 18:56:38 Lenny kernel: PCI: Found IRQ 10 for device 0000:00:0f.0 Jun 30 18:56:38 Lenny kernel: SELinux: initialized (dev rpc_pipefs, type rpc_pipefs), uses genfs_contexts . . . Jun 30 18:56:58 Lenny rc: Starting readahead: succeeded Jun 30 18:56:58 Lenny kernel: audit(1120172218.630:754310): avc: denied { execmod } for pid=3688 comm=rcd path=/lib/ld-2.3.5.so dev=hda2 ino=798573 scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:ld_so_t tclass=file Jun 30 18:56:58 Lenny kernel: audit(1120172218.630:754310): syscall=125 per=400000 exit=0 a0=b7ffe000 a1=1000 a2=1 a3=b7fff1b8 items=0 pid=3688 loginuid=-1 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 . . . Jun 30 18:57:31 Lenny gdm[4105]: gdm_auth_user_add: /home/stewart/.Xauthority has wrong permissions (should be 0600) Jun 30 18:57:57 Lenny gconfd (stewart-4333): starting (version 2.8.1), pid 4333 user 'stewart' Jun 30 18:57:57 Lenny gconfd (stewart-4331): starting (version 2.8.1), pid 4331 user 'stewart' Jun 30 18:57:57 Lenny gconfd (stewart-4333): Failed to get lock for daemon, exiting: Failed to lock '/tmp/gconfd-stewart/lock/ior': probably another process has the lock, or your operating system has NFS file locking misconfigured (Resource temporarily unavailable) Jun 30 18:57:58 Lenny gconfd (stewart-4331): Resolved address "xml:readonly:/etc/gconf/gconf.xml.mandatory" to a read-only configuration source at position 0 Jun 30 18:57:58 Lenny gconfd (stewart-4331): Resolved address "xml:readwrite:/home/stewart/.gconf" to a writable configuration source at position 1 Jun 30 18:57:58 Lenny gconfd (stewart-4331): Resolved address "xml:readonly:/etc/gconf/gconf.xml.defaults" to a read-only configuration source at position 2 Jun 30 18:57:59 Lenny kernel: audit(1120172279.751:1094460): avc: denied { execmod } for pid=4337 comm=gpg path=/usr/bin/gpg dev=hda2 ino=344168 scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:bin_t tclass=file Jun 30 18:57:59 Lenny kernel: audit(1120172279.751:1094460): syscall=125 per=400000 exit=0 a0=b7f5e000 a1=a2000 a2=5 a3=b7f5ff3e items=0 pid=4337 loginuid=-1 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 Jun 30 18:58:21 Lenny kernel: NET: Registered protocol family 4 Jun 30 18:58:21 Lenny kernel: NET: Registered protocol family 5 . . . With SELinux set to permissive, I can run OpenOffice. With it set to enforce, I cannot. HTH A note from another member of our LUG:
Anyway, Now I'm getting this when I try to boot my computer.
avc: denied {execmod} for pid=1 comm=init path=/lib/ld-2.3.5.so dev=hda2
ino=6291464 scontext=user_u:system_r: uconfined_t tcontext=system_u:
object_r:ld_so_t tclass=file
sbin/init: error while loading shared libraries: /lib/ld-linux.so.2:
cannot apply additional memory protection after relocation: Permission
denied
Kernel panic - not syncing: Attempted to kill init!
I'm running Fedora Core 3 with kernel 2.6.11.11
Fixed in selinux-policy-targeted-1.17.30-3.16 package update is public |
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050513 Fedora/1.0.4-1.3.1 Firefox/1.0.4 Description of problem: I ran sudo yum update today and selinux-policy-targeted and selinux-policy-targeted-sources were updated and immediately my system became unresponsive and I had to do a hard reboot. Afterwards I could not boot into FC3 at all. This was the error I got: audit(1119882959.657:0): avc: denied { execmod } for pid=1 comm=init path=/lib/tls/libc-2.3.5.so dev=hda3 ino=2638668 scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:shlib_t tclass=file /sbin/init: error while loading shared libraries : /lib/tls/libc.so.6: cannot apply additional memory protection after relocation: Permission denied Kernel panic - not syncing: Attempted to kill init! I rebooted using enforcing=0 (rather than selinux=0) successfully. I then did the following: su - rpm -ev selinux-policy-targeted selinux-policy-targeted-sources rm -fR /etc/selinux/targeted/ rpm -ivh /var/cache/yum/updates-released/packages/selinux-policy-targeted-1.17.30-3.9.noarch.rpm /var/cache/yum/updates-released/packages/selinux-policy-targeted-sources-1.17.30-3.9.noarch.rpm touch /.autorelabel and everything worked fine. Once I was confident that I could easily revert back to a working system, I thought I would try the updated 1.17.30-3.13 packages again. So I removed the cached versions of the packages, downloaded them manually, and then repeated the steps above so that instead of upgrading the packages I did a completely clean install of them. This time the system didn't become unstable but again I couldn't reboot, for exactly the same reason as before. Version-Release number of selected component (if applicable): selinux-policy-targeted-1.17.30-3.13 How reproducible: Always Steps to Reproduce: 1. Install selinux-policy-targeted-1.17.30-3.13 2. Reboot. 3. Actual Results: Kernel panic. Expected Results: A bootable system. Additional info: