Bug 700538
Summary: | MLS - cgconfigparser cannot search on /cgroup/ dirs | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Eduard Benes <ebenes> |
Component: | kernel | Assignee: | Eric Paris <eparis> |
Status: | CLOSED ERRATA | QA Contact: | Red Hat Kernel QE team <kernel-qe> |
Severity: | high | Docs Contact: | |
Priority: | urgent | ||
Version: | 6.1 | CC: | dwalsh, eparis, iboverma, jburke, jsafrane, jwest, kzhang, mgrepl, mmalik, sgrubb |
Target Milestone: | rc | Keywords: | ZStream |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | kernel-2.6.32-158.el6 | Doc Type: | Bug Fix |
Doc Text: |
When using certain SELinux policies, such as the MLS policy, it was not possible to properly mount the cgroupfs file system due to the way security checks were applied to the new cgroupfs inodes during the mount operation. With this update, the security checks applied during the mount operation have been changed so that they always succeed, and the cgroupfs file system can now be successfully mounted and used with the MLS SELinux policy. This issue did not affect systems which used the default targeted policy.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2011-12-06 13:20:25 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 584498, 682670, 705057, 713135, 846801, 846802 |
Description
Eduard Benes
2011-04-28 15:51:48 UTC
By any chance, could be a bug in kernel? Looks like it is not labelled correctly after the mount. Do you see anything about selinux in dmesg or do you see anything from ausearch -m SELINUX_ERR ?? (In reply to comment #2) > Do you see anything about selinux in dmesg or do you see anything from ausearch > -m SELINUX_ERR ?? No, there is nothing suspicious in dmesg or audit.log. Patch(es) available on kernel-2.6.32-158.el6 Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: When using certain SELinux policies, such as the MLS policy, it was not possible to properly mount the cgroupfs file system due to the way security checks were applied to the new cgroupfs inodes during the mount operation. With this update, the security checks applied during the mount operation have been changed so that they always succeed, and the cgroupfs file system can now be successfully mounted and used with the MLS SELinux policy. This issue did not affect systems which used the default targeted policy. Confirmed libcgroup services can start on snap 2 with no denials, /cgroup mountpoints are now correctly labeled. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2011-1530.html |