Bug 188068

Summary: FC4 kernel doesn't understand MLS
Product: [Fedora] Fedora Reporter: Ron Yorston <rmy>
Component: kernelAssignee: Kernel Maintainer List <kernel-maint>
Status: CLOSED ERRATA QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: 4CC: jmorris, sdsmall, wtogami
Target Milestone: ---   
Target Release: ---   
Hardware: i686   
OS: Linux   
Whiteboard:
Fixed In Version: 2.6.16-1.2107_FC4 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-05-03 19:26:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Fix MLS compatibility patch in 2.6.16 none

Description Ron Yorston 2006-04-05 18:21:47 UTC 
Description of problem:
The FC4 kernel doesn't understand the MLS suffix in the context of on-disk
inodes which have been created in FC5.  This results in errors like:

Apr  1 10:30:24 random kernel: inode_doinit_with_dentry: 
context_to_sid(user_u:object_r:user_home_t:s0) returned 22 for dev=dm-1 ino=352500

for files in the /home directory that I want to share between FC4 and FC5.  To
get FC4 to work I have to boot with enforcing=0.

I think the RHEL4 kernel has the same problem.

Version-Release number of selected component (if applicable):
2.6.16-1.2069_FC4

How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Stephen Smalley 2006-04-05 18:49:41 UTC 
I thought that this was resolved in bug 174618 and upstream in 2.6.15.
But the reporter indicates that it is still causing problems.
Bug 177349 tracks the RHEL4 fix.
Comment 2 Stephen Smalley 2006-04-05 18:57:17 UTC 
(In reply to comment #1)
> I thought that this was resolved in bug 174618 and upstream in 2.6.15.
> But the reporter indicates that it is still causing problems.
> Bug 177349 tracks the RHEL4 fix.

Oops, the latter should be bug 177439.
Comment 3 Ron Yorston 2006-04-06 21:12:41 UTC 
Created attachment 127429 [details]
Fix MLS compatibility patch in 2.6.16

It looks as though it's an off-by-one issue.  In mls_context_to_sid in mls.c
the parsing code is returning *scontext pointing to one beyond the terminating
null in the string.  The compatibility code needs to add one more to *scontext
to allow for this.

With this patch added to the 2.6.16-1.2069_FC4 kernel I'm able to boot my FC4
installation in enforcing mode and access files in my shared /home.  The
context_to_sid warnings have all gone.
Comment 4 Stephen Smalley 2006-04-11 14:58:44 UTC 
Attachment 127429 [details] is correct (to the extent that the mls parsing code and length
check is correct, which can be debated, but that is another matter).
Acked-by:  Stephen Smalley <sds.gov>