Bug 203801

Summary: LSPP- 'newrole' SELinux command getting 'SIGPIPE' with 40000 Chars
Product: Red Hat Enterprise Linux 5 Reporter: IBM Bug Proxy <bugproxy>
Component: policycoreutilsAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: medium    
Version: 5.0CC: dwalsh, iboverma, pgraner, sgrubb
Target Milestone: ---   
Target Release: ---   
Hardware: s390x   
OS: Linux   
Whiteboard:
Fixed In Version: beta2 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-12-23 00:04:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
strace of newrole command
none
ltrace of newrole command
none
libselinux patch to address this bug in general none

Description IBM Bug Proxy 2006-08-23 19:47:00 UTC 
LTC Owner is: srinivds.com
LTC Originator is: nasastry.com


---Problem Description---
Getting SIGPIPE when 40000 characters passing as arguments to the 'newrole'
SELinux command
 
Contact Information = nasastry.com
 
---uname output---
Linux HOSTNAME 2.6.17-1.2473.el5 #1 SMP Fri Jul 28 18:14:57 EDT 2006 s390x s390x
s390x GNU/Linux
 
Machine Type = 2066
 
---Debugger---
A debugger is not configured
 
---Steps to Reproduce---
Run the following command.
# b=`perl -e "print 'A'x40000"` ; newrole -r system_r$b -t unconfined_t$b -- -c ls$b
Authenticating root.
Password: xxxxxxxx
# echo $?
141        <-----128+13=141 (13 stands for SIGPIPE)
 
---Base System Tools Component Data--- 
/etc/selinux/config output: # cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - SELinux is fully disabled.
SELINUX=enforcing
# SELINUXTYPE= type of policy in use. Possible values are:
#       targeted - Only targeted network daemons are protected.
#       strict - Full SELinux protection.
SELINUXTYPE=targeted

Userspace tool common name: newrole
 
"rpm -qa | grep -i selinux" output: # rpm -qa | grep -i selinux
libselinux-devel-1.30.12-1
libselinux-1.30.12-1
libselinux-python-1.30.12-1
libselinux-devel-1.30.12-1
selinux-policy-targeted-2.2.47-1
selinux-policy-strict-2.2.47-1
libselinux-1.30.12-1
selinux-policy-2.2.47-1
selinux-policy-mls-2.2.47-1

The userspace tool has the following bit modes: 64-bit

Userspace rpm: policycoreutils-1.30.12-5
 
*Additional Instructions for nasastry.com: 
-Post a private note with access information to the machine that the bug is
occuring on.
-Attach ltrace and strace of userspace application.
Attaching ltrace and strace output
-Attach contents of /var/log/messages

<related message from /var/log/messages>
Aug 23 16:33:58 india5 mcstransd: Servicing of request failed for fd (5)
</related>

<related message from dmesg>
Unable to handle kernel pointer dereference at virtual kernel address
0000000000000000
Oops: 0004 [#1]
CPU:    0    Not tainted
Process newrole (pid: 20725, task: 000000007ff72e90, ksp: 0000000050a33bc0)
Krnl PSW : 0704200180000000 0000000000160b6c (_raw_read_lock+0x50/0x120)
Krnl GPRS: 0000000000000001 0000000000000000 0000000000000001 0000000000000000
           0000000000160b5c 0000000000000002 0000000000000002 000000005085b000
           0000000000000008 00000000ffffff9c 0000000050a33e48 0000000050a33c40
           0000000000000008 0000000000252418 0000000000160b5c 0000000050a33c40
Krnl Code: ba 32 80 00 19 31 a7 84 00 5e b9 04 00 28 c0 e5 ff ff f2 f5
Call Trace:
([<0000000000160b5c>] _raw_read_lock+0x40/0x120)
 [<0000000000237bca>] _read_lock+0x4e/0x5c
 [<00000000000bc674>] do_path_lookup+0x60/0x408
 [<00000000000bd586>] __user_walk_fd+0x5e/0x7c
 [<00000000000a474a>] sys_faccessat+0x96/0x138
 [<00000000000a481e>] sys_access+0x32/0x40
 [<000000000001ed94>] sysc_noemu+0x10/0x16
 [<00000047afe5a27e>] 0x47afe5a27e

 <1>Unable to handle kernel pointer dereference at virtual kernel address
0000000000000000
Oops: 0004 [#2]
CPU:    0    Not tainted
Process newrole (pid: 20729, task: 0000000062e84438, ksp: 00000000509cbbc0)
Krnl PSW : 0704200180000000 0000000000160b6c (_raw_read_lock+0x50/0x120)
Krnl GPRS: 0000000000000001 0000000000000000 0000000000000001 0000000000000000
           0000000000160b5c 0000000000000002 0000000000000002 0000000050a24000
           0000000000000008 00000000ffffff9c 00000000509cbe48 00000000509cbc40
           0000000000000008 0000000000252418 0000000000160b5c 00000000509cbc40
Krnl Code: ba 32 80 00 19 31 a7 84 00 5e b9 04 00 28 c0 e5 ff ff f2 f5
Call Trace:
([<0000000000160b5c>] _raw_read_lock+0x40/0x120)
 [<0000000000237bca>] _read_lock+0x4e/0x5c
 [<00000000000bc674>] do_path_lookup+0x60/0x408
 [<00000000000bd586>] __user_walk_fd+0x5e/0x7c
 [<00000000000a474a>] sys_faccessat+0x96/0x138
 [<00000000000a481e>] sys_access+0x32/0x40
 [<000000000001ed94>] sysc_noemu+0x10/0x16
 [<00000047afe5a27e>] 0x47afe5a27e
</related>

P.S. 
# getenforce
Permissive

Workaround:
After stopping the daemon named "mcstransd", newrole was giving the proper error
message "-bash: /usr/bin/newrole: Argument list too long"
Comment 1 IBM Bug Proxy 2006-08-23 19:52:01 UTC 
Created attachment 134745 [details]
strace of newrole command

strace of newrole command
Comment 2 IBM Bug Proxy 2006-08-23 19:53:22 UTC 
Created attachment 134746 [details]
ltrace of newrole command

ltrace of newrole command
Comment 3 IBM Bug Proxy 2006-08-24 07:36:29 UTC 
----- Additional Comments From nasastry.com  2006-08-24 03:40 EDT -------
Same result with RHEL5_Alpha2 (KV 2.6.17-1.2519.4.5.el5)
Comment 4 IBM Bug Proxy 2006-08-24 10:26:18 UTC 
----- Additional Comments From srinivds.com  2006-08-24 06:30 EDT -------
When we try to run the above newrole command with "mcstransd"(SELinux Context
Translation System Daemon),2 write operations  happens to
/var/run/setrans/.setrans-unix socket(created by mcstransd). By the time one
write operation finishes,read end of the socket is getting closed and hence
second write operation is getting SIGPIPE.
========================================================================
connect(3, {sa_family=AF_FILE, path="/var/run/setrans/.setrans-unix"}, 110) = 0
writev(3, [{"
Comment 5 Daniel Walsh 2006-08-31 12:10:14 UTC 
newrole will now ignore sigpipe.

Fixed in policycoreutils-1.30.27-3
Comment 6 IBM Bug Proxy 2006-08-31 19:51:23 UTC 
----- Additional Comments From salina.com  2006-08-31 15:46 EDT -------
Hi Daniel,

Will you be placing the fix on Fedora too ?

Before we get an official RHEL 5 beta 1
will Fedora be a good place to get a fixed package we can try .. since we are 
doing some pre-beta 1 testing any way.
Currently I see policycoreutils-1.30.26-1.s390x.rpm 
http://download.fedora.redhat.com/pub/fedora/linux/core/development/s390x/os/Fed
ora/RPMS/

Thanks
Salina Chu 
LTC screen team
Comment 7 Daniel Walsh 2006-08-31 20:25:59 UTC 
Yes all development is in Fedora first.

Most updates will not be in RHEL 5 beta 1 since that froze a few weeks ago.

So packages will be available in Fedora.
Comment 8 Stephen Smalley 2006-09-11 15:51:08 UTC 
Created attachment 136009 [details]
libselinux patch to address this bug in general

This patch has been proposed upstream as a general solution for this bug, not
limited to newrole.  It modifies the libselinux code that was triggering
SIGPIPE to use sendmsg() with MSG_NOSIGNAL rather than writev() so that if the
daemon closes its end of the connection prematurely, a normal error value will
be returned up to the caller rather than generating a SIGPIPE.
Comment 9 IBM Bug Proxy 2006-10-10 11:30:57 UTC 
changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ACCEPTED                    |CLOSED




------- Additional Comments From nasastry.com  2006-10-10 07:25 EDT -------
Tested against latest code drop KV 2.6.18-1.2702.el5.

newrole command is not giving SIGPIPE.

# rpm -qa | grep selinux
libselinux-1.30.28-2
libselinux-devel-1.30.28-2
libselinux-1.30.28-2
libselinux-python-1.30.28-2
selinux-policy-targeted-2.3.16-2
libselinux-devel-1.30.28-2
selinux-policy-2.3.16-2

Closing this bugzilla report.

Thanks!!
Comment 10 RHEL Program Management 2006-12-23 00:04:06 UTC 
A package has been built which should help the problem described in 
this bug report. This report is therefore being closed with a resolution 
of CURRENTRELEASE. You may reopen this bug report if the solution does 
not work for you.
Comment 11 IBM Bug Proxy 2006-12-23 20:01:18 UTC 
----- Additional Comments From salina.com  2006-12-23 14:55 EDT -------
problem already closed at IBM.  Thanks