Bug 467216

Summary:	avc: denied { sys_resource } when using ext4dev partitions
Product:	Red Hat Enterprise Linux 5	Reporter:	Alexander Todorov <atodorov>
Component:	kernel	Assignee:	Eric Sandeen <esandeen>
Status:	CLOSED ERRATA	QA Contact:	Alexander Todorov <atodorov>
Severity:	medium	Docs Contact:
Priority:	medium
Version:	5.3	CC:	benl, dwalsh, dzickus, eparis, mcepl, rwheeler, syeghiay
Target Milestone:	rc
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2009-01-20 20:10:56 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Alexander Todorov 2008-10-16 12:50:30 UTC

[root@localhost ~]# grep denied /var/log/messages 
Oct 16 08:32:55 localhost kernel: type=1400 audit(1224160368.466:4): avc:  denied  { sys_resource } for  pid=1601 comm="restorecond" capability=24 scontext=system_u:system_r:restorecond_t:s0 tcontext=system_u:system_r:restorecond_t:s0 tclass=capability
Oct 16 08:32:55 localhost kernel: type=1400 audit(1224160369.076:5): avc:  denied  { sys_resource } for  pid=1624 comm="dbus-daemon" capability=24 scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0 tclass=capability
Oct 16 08:32:55 localhost kernel: type=1400 audit(1224160369.632:6): avc:  denied  { sys_resource } for  pid=1654 comm="hpiod" capability=24 scontext=system_u:system_r:hplip_t:s0 tcontext=system_u:system_r:hplip_t:s0 tclass=capability
Oct 16 08:32:55 localhost kernel: type=1400 audit(1224160369.653:7): avc:  denied  { sys_resource } for  pid=1655 comm="hpiod" capability=24 scontext=system_u:system_r:hplip_t:s0 tcontext=system_u:system_r:hplip_t:s0 tclass=capability
Oct 16 08:32:55 localhost kernel: type=1400 audit(1224160372.351:8): avc:  denied  { sys_resource } for  pid=1658 comm="python" capability=24 scontext=system_u:system_r:hplip_t:s0 tcontext=system_u:system_r:hplip_t:s0 tclass=capability
Oct 16 08:32:55 localhost kernel: type=1400 audit(1224160372.384:9): avc:  denied  { sys_resource } for  pid=1661 comm="python" capability=24 scontext=system_u:system_r:hplip_t:s0 tcontext=system_u:system_r:hplip_t:s0 tclass=capability
Oct 16 08:32:55 localhost kernel: type=1400 audit(1224160374.051:10): avc:  denied  { sys_resource } for  pid=1692 comm="xfs" capability=24 scontext=system_u:system_r:xfs_t:s0 tcontext=system_u:system_r:xfs_t:s0 tclass=capability



Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.4.6-162.el5

Steps to Reproduce:
1. Installed a system which / partition is on ext4dev
LABEL=/                 /                       ext4dev defaults        1 1
LABEL=/home             /home                   ext4dev defaults        1 2
/dev/sda1               /boot/efi               vfat    defaults        0 0
tmpfs                   /dev/shm                tmpfs   defaults        0 0
devpts                  /dev/pts                devpts  gid=5,mode=620  0 0
sysfs                   /sys                    sysfs   defaults        0 0
proc                    /proc                   proc    defaults        0 0

  
Actual results:
Seeing the above denials in /var/log/messages after installation is complete.

Additional info:
haven't seen selinux denials when using ext3 partitions. not sure if this is related to fs type.

Comment 1 Daniel Walsh 2008-10-16 19:16:51 UTC

If suddenly every confined domain in the universe needs sys_resource, I think it is a kernel bug.

Comment 2 Eric Paris 2008-10-24 15:13:01 UTC

http://marc.info/?t=122486095400002&r=1&w=2

Comment 3 Eric Sandeen 2008-10-24 20:47:57 UTC

Thanks, I sent a couple patches upstream which should delay the capable() tests as eparis suggested, so at least we only should get the denials when all else fails (i.e. we need the actually need the root space, and neither the uid nor the gid matches that for the reserved space...)

http://marc.info/?l=linux-ext4&m=122488084212789&w=2
http://marc.info/?l=linux-ext4&m=122488090912882&w=2

Feel free to test :)

Thanks,
-Eric

Comment 4 Eric Sandeen 2008-10-24 21:39:23 UTC

I've pushed them to the pending ext4 patch queue now as well.

-Eric

Comment 5 Eric Sandeen 2008-10-27 16:52:33 UTC

Put the patches into rawhide/F10 today.

Comment 11 Daniel Walsh 2008-10-28 20:55:09 UTC

*** Bug 468683 has been marked as a duplicate of this bug. ***

Comment 13 Don Zickus 2008-11-04 16:50:46 UTC

in kernel-2.6.18-122.el5
You can download this test kernel from http://people.redhat.com/dzickus/el5

Comment 15 Alexander Todorov 2008-11-10 12:04:28 UTC

with 2.6.18-122.el5 and a default install on ext4dev / I'm not seeing any selinux denials in the logs. Moving to VERIFED.

Comment 17 Eric Sandeen 2009-01-05 19:15:06 UTC

For the record, a fix for this is now upstream as well:

commit a996031c87e093017c0763326a08896a3a4817f4
Author: Eric Sandeen <sandeen>
Date:   Tue Oct 28 00:08:17 2008 -0400

    delay capable() check in ext4_has_free_blocks()

    As reported by Eric Paris, the capable() check in ext4_has_free_blocks()
    sometimes causes SELinux denials.

    We can rearrange the logic so that we only try to use the root-reserved
    blocks when necessary, and even then we can move the capable() test
    to last, to avoid the check most of the time.

    Signed-off-by: Eric Sandeen <sandeen>
    Reviewed-by: Mingming Cao <cmm.com>
    Signed-off-by: "Theodore Ts'o" <tytso>

Comment 18 errata-xmlrpc 2009-01-20 20:10:56 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2009-0225.html