Bug 204848
Summary: | Mount NFSv4 cause a OOPS in the SELinux code | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Steve Dickson <steved> |
Component: | kernel | Assignee: | Eric Paris <eparis> |
Status: | CLOSED RAWHIDE | QA Contact: | Brian Brock <bbrock> |
Severity: | urgent | Docs Contact: | |
Priority: | urgent | ||
Version: | rawhide | CC: | dwalsh, jmorris, sgrubb, wtogami |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2006-09-26 19:08:14 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 150224, 205790 | ||
Attachments: |
Description
Steve Dickson
2006-08-31 21:10:53 UTC
Created attachment 135334 [details]
Patch that detects a NULL sk pointer but does not solve the problem
I was under the impression that all struct sock would be created from sk_alloc which unconditionally allocats the sk_security. So getting null here is really quite surprising. I am able to reproduce and am looking at this bug now. i'm starting to think the issue is in rpc_mkpipe where we create an inode which passes I_ISSOCK() but I don't think has an sk or sk->sk_security If this kernel ever finishes building I'll add some insturmentation to find out if my hunch is right I do see that path.... so the question is what does rpc_get_inode() to call when the S_IFSOCK mod is set? Created attachment 135655 [details]
Patch that stops rpc_mkpipe from creating S_IFSOCK inodes that don't have sk buffers... something at drives SELinux nuts...
If this is the final patch, mine hasn't crashed but that doesn't make it right, then we will need to fix the following AVC denial in policy. audit(1157483505.359:6): avc: denied { read write } for pid=1959 comm="rpc.idmapd" name="idmap" dev=rpc_pipefs ino=739 scontext=root:system_r:rpcd_t:s0 tcontext=system_u:object_r:rpc_pipefs_t:s0 tclass=fifo_file Created attachment 136032 [details]
policy file to allow rpcidmapd to use fifos
simply download and run
"semodule -i rpc_mkpipe.pp"
Fixed in selinux-policy-2.3.14-3 fixed and in RHEL5 kernel |