Bug 180179

Summary: kernel-2.6.15-1.1830_FC4 gives SELinux errors on boot
Product: [Fedora] Fedora Reporter: Matthew Saltzman <mjs>
Component: kernelAssignee: Dave Jones <davej>
Status: CLOSED ERRATA QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: 5CC: jmorris, pfrields, sdsmall, wtogami
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard: NeedsRetesting
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-04-04 21:12:02 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Matthew Saltzman 2006-02-06 16:47:30 UTC 
Description of problem:
During startup, 2.6.15 FC4 kernels produce a number of SELinux audit failures
related to hotplug.


Version-Release number of selected component (if applicable):
kernel-2.6.15-1.1830_FC4

How reproducible:
Aways

Steps to Reproduce:
1. Install kernel-2.6.15-1.1830_FC4
2. Boot
3. Watch startup log messages or view dmesg
  
Actual results:
The following audit messages:

audit(1139187977.980:2): avc:  denied  { search } for  pid=579 comm="hotplug"
name="proc" dev=dm-0 ino=851969 scontext=system_u:system_r:hotplug_t
tcontext=system_u:object_r:unlabeled_t tclass=dir
audit(1139187977.988:3): avc:  denied  { search } for  pid=580 comm="hotplug"
name="proc" dev=dm-0 ino=851969 scontext=system_u:system_r:hotplug_t
tcontext=system_u:object_r:unlabeled_t tclass=dir
audit(1139187977.996:4): avc:  denied  { search } for  pid=571 comm="hotplug"
name="proc" dev=dm-0 ino=851969 scontext=system_u:system_r:hotplug_t
tcontext=system_u:object_r:unlabeled_t tclass=dir
audit(1139187978.004:5): avc:  denied  { search } for  pid=581 comm="hotplug"
name="proc" dev=dm-0 ino=851969 scontext=system_u:system_r:hotplug_t
tcontext=system_u:object_r:unlabeled_t tclass=dir
audit(1139187978.012:6): avc:  denied  { search } for  pid=582 comm="hotplug"
name="proc" dev=dm-0 ino=851969 scontext=system_u:system_r:hotplug_t
tcontext=system_u:object_r:unlabeled_t tclass=dir
audit(1139187978.020:7): avc:  denied  { search } for  pid=583 comm="hotplug"
name="proc" dev=dm-0 ino=851969 scontext=system_u:system_r:hotplug_t
tcontext=system_u:object_r:unlabeled_t tclass=dir
audit(1139187978.028:8): avc:  denied  { search } for  pid=584 comm="hotplug"
name="proc" dev=dm-0 ino=851969 scontext=system_u:system_r:hotplug_t
tcontext=system_u:object_r:unlabeled_t tclass=dir
audit(1139187978.036:9): avc:  denied  { search } for  pid=567 comm="hotplug"
name="proc" dev=dm-0 ino=851969 scontext=system_u:system_r:hotplug_t
tcontext=system_u:object_r:unlabeled_t tclass=dir
audit(1139187978.048:10): avc:  denied  { search } for  pid=568 comm="hotplug"
name="proc" dev=dm-0 ino=851969 scontext=system_u:system_r:hotplug_t
tcontext=system_u:object_r:unlabeled_t tclass=dir
audit(1139187978.056:11): avc:  denied  { search } for  pid=569 comm="hotplug"
name="proc" dev=dm-0 ino=851969 scontext=system_u:system_r:hotplug_t
tcontext=system_u:object_r:unlabeled_t tclass=dir
audit(1139187978.068:12): avc:  denied  { search } for  pid=573 comm="hotplug"
name="proc" dev=dm-0 ino=851969 scontext=system_u:system_r:hotplug_t
tcontext=system_u:object_r:unlabeled_t tclass=dir
audit(1139187978.076:13): avc:  denied  { search } for  pid=574 comm="hotplug"
name="proc" dev=dm-0 ino=851969 scontext=system_u:system_r:hotplug_t
tcontext=system_u:object_r:unlabeled_t tclass=dir
audit(1139187978.088:14): avc:  denied  { search } for  pid=575 comm="hotplug"
name="proc" dev=dm-0 ino=851969 scontext=system_u:system_r:hotplug_t
tcontext=system_u:object_r:unlabeled_t tclass=dir
audit(1139187978.100:15): avc:  denied  { search } for  pid=577 comm="hotplug"
name="proc" dev=dm-0 ino=851969 scontext=system_u:system_r:hotplug_t
tcontext=system_u:object_r:unlabeled_t tclass=dir
audit(1139187978.112:16): avc:  denied  { search } for  pid=578 comm="hotplug"
name="proc" dev=dm-0 ino=851969 scontext=system_u:system_r:hotplug_t
tcontext=system_u:object_r:unlabeled_t tclass=dir
audit(1139187978.124:17): avc:  denied  { search } for  pid=586 comm="hotplug"
name="proc" dev=dm-0 ino=851969 scontext=system_u:system_r:hotplug_t
tcontext=system_u:object_r:unlabeled_t tclass=dir
audit(1139187978.136:18): avc:  denied  { search } for  pid=587 comm="hotplug"
name="proc" dev=dm-0 ino=851969 scontext=system_u:system_r:hotplug_t
tcontext=system_u:object_r:unlabeled_t tclass=dir
audit(1139187978.148:19): avc:  denied  { search } for  pid=572 comm="hotplug"
name="proc" dev=dm-0 ino=851969 scontext=system_u:system_r:hotplug_t
tcontext=system_u:object_r:unlabeled_t tclass=dir
audit(1139187978.160:20): avc:  denied  { search } for  pid=570 comm="hotplug"
name="proc" dev=dm-0 ino=851969 scontext=system_u:system_r:hotplug_t
tcontext=system_u:object_r:unlabeled_t tclass=dir
audit(1139187978.176:21): avc:  denied  { search } for  pid=576 comm="hotplug"
name="proc" dev=dm-0 ino=851969 scontext=system_u:system_r:hotplug_t
tcontext=system_u:object_r:unlabeled_t tclass=dir


Expected results:
No audit messages

Additional info:
Started appearing with FC4 2.6.15 kernels.  2.6.14 kernels did not display this
message.

It might be that these messages don't appear in 2.6.14 because they are
suppressed in quiet mode (broken in this kernel at least, as in bug #179919),
but I think they still are problematic.  I'm having issues with USB key drives,
but I haven't tried to isolate that issue yet--seems like it might be related to
this.
Comment 1 Matthew Saltzman 2006-02-06 19:51:30 UTC 
Have verified that these messages are supressed in quiet mode, but in non-quiet
mode, they appear with FC4 2.6.14 kernels also.
Comment 2 Stephen Smalley 2006-02-06 20:04:05 UTC 
Likely an interleaving of device detection / hotplug execution with the initial
setup of SELinux upon the initial policy load by init.  Not certain as to the
best solution here.
Comment 3 Dave Jones 2006-02-19 05:58:41 UTC 
Stephen, would your patch from bug 180296 suppress this ?
Comment 4 Stephen Smalley 2006-02-21 13:22:39 UTC 
No, different issue.  In this case (IIUC), the inodes are labeled correctly on
disk, but we are hitting a race between the initial setup of SELinux upon first
policy load by /sbin/init and a hotplug execution, so that hotplug is accessing
inodes before SELinux gets done setting up their incore labels.  This is tricky,
as we have to allow execution of usermode helpers prior to initial policy load
for any setup prior to /sbin/init (e.g. from initrd), but we want to essentially
block them once we initiate a policy load until the entire SELinux setup is
finished.
Comment 5 Dave Jones 2006-09-17 02:51:42 UTC 
[This comment added as part of a mass-update to all open FC4 kernel bugs]

FC4 has now transitioned to the Fedora legacy project, which will continue to
release security related updates for the kernel.  As this bug is not security
related, it is unlikely to be fixed in an update for FC4, and has been migrated
to FC5.

Please retest with Fedora Core 5.

Thank you.
Comment 6 Dave Jones 2006-10-16 19:02:57 UTC 
A new kernel update has been released (Version: 2.6.18-1.2200.fc5)
based upon a new upstream kernel release.

Please retest against this new kernel, as a large number of patches
go into each upstream release, possibly including changes that
may address this problem.

This bug has been placed in NEEDINFO state.
Due to the large volume of inactive bugs in bugzilla, if this bug is
still in this state in two weeks time, it will be closed.

Should this bug still be relevant after this period, the reporter
can reopen the bug at any time. Any other users on the Cc: list
of this bug can request that the bug be reopened by adding a
comment to the bug.

In the last few updates, some users upgrading from FC4->FC5
have reported that installing a kernel update has left their
systems unbootable. If you have been affected by this problem
please check you only have one version of device-mapper & lvm2
installed.  See bug 207474 for further details.

If this bug is a problem preventing you from installing the
release this version is filed against, please see bug 169613.

If this bug has been fixed, but you are now experiencing a different
problem, please file a separate bug for the new problem.

Thank you.