Bug 662344

Summary: broken SELinux AVCs on XFS partition when running xfsdump
Product: [Fedora] Fedora Reporter: Cristian Ciupitu <cristian.ciupitu>
Component: kernelAssignee: Eric Sandeen <esandeen>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 14CC: anton, dchinner, dougsland, dwalsh, eparis, gansalmon, hch, ian, itamar, jonathan, kernel-maint, kmcmartin, kszysiu, madhu.chinakonda
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: kernel-2.6.35.10-72.fc14 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 600690 Environment:
Last Closed: 2010-12-22 19:52:43 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 600690    
Bug Blocks:    

Description Cristian Ciupitu 2010-12-11 21:08:23 UTC 
+++ This bug was initially created as a clone of Bug #600690 +++

Description of problem:
xfsdump generates some broken SELinux AVCs when running on my XFS /home partition. This is the same partition I've used in Fedora 12 and older, so some of the files were created a long time ago, but on the other hand I've rebooted with /.autorelabel a couple of times, since installing Fedora 13.

ls -ldZ says this about one of the files:
drwxrwxr-x. ciupicri ciupicri unconfined_u:object_r:user_home_t:s0 ./3rdparty-projects/django/tests/modeltests/m2o_recursive2/.svn/tmp


Version-Release number of selected component (if applicable):
kernel-2.6.35.9-64.fc14.x86_64
selinux-policy-3.9.7-14.fc14.noarch
selinux-policy-targeted-3.9.7-14.fc14.noarch
xfsdump-3.0.4-1.fc13.x86_64


How reproducible:
Every time.


Steps to Reproduce:
1. xfsdump -l 0 -e -p 5 -f /media/SG1-personal/home.xfsdump /home

  
Actual results:
Lots of errors like this:
"xfsdump: WARNING: unable to open directory: ino 704668552: Permission denied"

SELinux denials:
time->Sat Jun  5 18:19:42 2010
type=SYSCALL msg=audit(1275751182.020:25706): arch=c000003e syscall=16 success=no exit=-13 a0=6 a1=ffffffffc038586b a2=7fff1e4804a0 a3=6 items=0 ppid=2980 pid=3006 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="xfsdump" exe="/sbin/xfsdump" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1275751182.020:25706): avc:  denied  { 0x400000 } for  pid=3006 comm="xfsdump" name="" dev=dm-1 ino=37436486 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file


Expected results:
No errors or at least a valid human readable permission instead of some hex.

Additional info:
This bug is similar with bug #576207, so it might be a duplicate.

If I set SELinux to permissive mode by running "setenforce 0", xfsdump seems to work fine (no errors printed).
Comment 1 Eric Sandeen 2010-12-17 16:53:31 UTC 
> "xfsdump: WARNING: unable to open directory: ino 704668552: Permission denied"

XFS is trying to do the open by handle ioctl here

xfsctl(path, fsfd, XFS_IOC_OPEN_BY_HANDLE, &hreq);

if that's useful.  It seems that the files have proper labels on them, yes?  Not sure why the AVC seems odd...
Comment 2 Eric Paris 2010-12-17 17:13:58 UTC 
This is a result of XFS using directory inodes but having never called d_instantiate() (or more importantly security_d_instantiate())

Figure out where in the XFS code you guys are hooking your dentries to your inodes without calling d_instantiate() fix that, and these will go away....
Comment 3 Eric Sandeen 2010-12-17 20:46:45 UTC 
*** Bug 600690 has been marked as a duplicate of this bug. ***
Comment 4 Eric Sandeen 2010-12-17 20:47:36 UTC 
http://marc.info/?l=linux-fsdevel&m=129013218025665&2=2

Fixes this right up.  Not upstream yet.

-Eric
Comment 5 Fedora Update System 2010-12-19 23:56:27 UTC 
kernel-2.6.35.10-69.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/kernel-2.6.35.10-69.fc14
Comment 6 Fedora Update System 2010-12-21 13:55:00 UTC 
kernel-2.6.35.10-72.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/kernel-2.6.35.10-72.fc14
Comment 7 Fedora Update System 2010-12-22 00:03:21 UTC 
kernel-2.6.35.10-72.fc14 has been pushed to the Fedora 14 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update kernel'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/kernel-2.6.35.10-72.fc14
Comment 8 Fedora Update System 2010-12-22 19:51:37 UTC 
kernel-2.6.35.10-72.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2011-02-05 20:13:48 UTC 
kernel-2.6.34.8-67.fc13 has been submitted as an update for Fedora 13.
https://admin.fedoraproject.org/updates/kernel-2.6.34.8-67.fc13
Comment 10 Fedora Update System 2011-02-24 15:49:54 UTC 
kernel-2.6.34.8-68.fc13 has been submitted as an update for Fedora 13.
https://admin.fedoraproject.org/updates/kernel-2.6.34.8-68.fc13
Comment 11 Fedora Update System 2011-03-07 21:05:48 UTC 
kernel-2.6.34.8-68.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.