Bug 357541

Summary: 2.6.23.1-37.fc8 BUG/NULL pointer dereference in selinux code
Product: [Fedora] Fedora Reporter: Hans Ulrich Niedermann <rhbugs>
Component: kernelAssignee: Eric Paris <eparis>
Status: CLOSED UPSTREAM QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: rawhideCC: cebbert, davej, jmorris, nmiell, sdsmall
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-11-12 21:37:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
BUG log in dmesg
none
dmesg from 2.6.23.1-37.fc8 (non-PAE version) none

Description Hans Ulrich Niedermann 2007-10-30 02:28:07 UTC 
Description of problem:

  When I run "mock", it exits with code 139, and the dmesg
  buffer contains one more kernel BUG/Oops report.

Version-Release number of selected component (if applicable):

  kernel-PAE-2.6.23.1-37.fc8
  mock-0.7.6-1.fc8

How reproducible:

  Every time - at least on this machine. I don't have another with F8.

Steps to Reproduce:
1. Run "mock".
  
Actual results:

   exit code 139, kernel BUG/Oops.

Expected results:

   mock doing something useful.

Additional info:

  The system is not a fresh install of F8Tsomething, but has
  been "yum upgraded" from F7. So a few things might be amiss,
  but that should never cause NULL pointer dereferences in the
  kernel.
Comment 1 Hans Ulrich Niedermann 2007-10-30 02:28:07 UTC 
Created attachment 242621 [details]
BUG log in dmesg
Comment 2 Hans Ulrich Niedermann 2007-10-30 16:37:34 UTC 
Created attachment 243651 [details]
dmesg from 2.6.23.1-37.fc8 (non-PAE version)

Same issue with 2.6.23.1-37.fc8 as with 2.6.23.1-37.fc8PAE.
(As requested by Chuck Ebbert)
Comment 3 Hans Ulrich Niedermann 2007-10-30 16:41:31 UTC 
I have just rememberd... it may be a "broken" mock SELinux policy module
triggering this, as I have mucked around with a mock policy module around FC6.

As broken as that mock policy may be, I will not touch it for a few weeks in
order to help you guys figure out the in-kernel issue.
Comment 4 Hans Ulrich Niedermann 2007-10-30 17:33:23 UTC 
The Fedora Wiki has a page with a few hints about an SELinux policy. I once
tried to make those into a package. The remnants of this is what I have
installed here - the mock selinux policy module is still loaded, but the RPM
package has been uninstalled.

If you want to examine the actual policy module yourself, I have uploaded the
loaded mock.pp (file /etc/selinux/targeted/modules/active/modules/mock.pp) to
http://mock.lauft.net/mock.pp

This is probably generated from
http://mock.lauft.net/mock-selinux-policy-0.0.2-2.src.rpm
but I cannot find the exact noarch RPM used to install it any more.
Comment 5 Eric Paris 2007-11-12 21:37:47 UTC 
It is the buggy .pp file.  We can't figure out how it go built wrong but we have
added new checks upstream to make sure something like this gets rejected in the
future rather than oops.  The upstream patch is at:

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=45e5421eb5bbcd9efa037d682dd357284e3ef982

since this is root only and you could more easily destroy your system other ways
i don't feel strongly about putting this into the F8 kernel right now.  So I'm
going to close this as upstream and we'll get the extra validity checks when we
move to .24

If anyone feels strongly about having these validity checks in the F8 kernel let
 me know.
-Eric
Comment 6 Chuck Ebbert 2007-12-07 23:24:52 UTC 
*** Bug 388061 has been marked as a duplicate of this bug. ***