|Summary:||IMA breaks users of the dentry_open kernel interface|
|Product:||Red Hat Enterprise Linux 6||Reporter:||Simon Wilkinson <simon>|
|Component:||kernel||Assignee:||Red Hat Kernel Manager <kernel-mgr>|
|Status:||CLOSED DUPLICATE||QA Contact:||Red Hat Kernel QE team <kernel-qe>|
|Version:||6.1||CC:||eparis, esandeen, jedgecombe, ktdreyer, stephan.wiesand|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2010-04-23 18:14:20 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
Description Simon Wilkinson 2010-04-23 15:40:57 UTC
Description of problem: The IMA subsystem adds an asymmetric interface to monitoring files. That is, in-kernel users of the dentry_open interface must register their open files with IMA, but the registrations are automatically deregistered by filp_close. IMA provides verbose debugging output if it sees a file being deregistered that wasn't registered earlier. ima_path_check(), which must be used to perform the registration, is a GPL-only symbol, so enabling IMA in effect breaks the dentry_open interface for non-GPL kernel modules. Whilst such modules can continue to function, the volume of debugging produced by IMA (a dump_stack every time a file is closed) seriously hampers the performance of the machine. Whilst this is a general problem, in particular it breaks the Linux version of OpenAFS, which uses the dentry_open interface to access its cache files. I raised this problem on the linux-security-module list in December 2009, and as a result the IMA interface was redesigned to remove the asymmetry of the register/unregister process. Those changes are in 2.6.33 - see the thread beginning at http://osdir.com/ml/linux-security-module/2009-12/msg00015.html for more details. Many institutional users of OpenAFS use it with RHEL, so it would be great to have this fixed before the final release.
Comment 3 RHEL Product and Program Management 2010-04-23 17:51:12 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux major release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Major release. This request is not yet committed for inclusion.
Comment 4 Eric Paris 2010-04-23 18:14:20 UTC
I am going to mark this a duplicate of BZ 584901. Even though this BZ has a much better description of the real problem, that one was opened first. You should be able to find a patch which applies against RHEL6 in that BZ which should take care of this problem. I will be proposing that patch for inclusion in RHEL6 although it's final determination is not yet known. *** This bug has been marked as a duplicate of bug 584901 ***
Comment 5 Stephan Wiesand 2010-04-24 19:20:51 UTC
#584901 is private - would it be possible to make it accessible? I'd really like to keep track of this issue. Thanks.