Bug 129990 - kernel-2.6.7-1.494.2.2 breaks SELinux
Summary: kernel-2.6.7-1.494.2.2 breaks SELinux
Alias: None
Product: Fedora
Classification: Fedora
Component: kernel (Show other bugs)
(Show other bugs)
Version: 2
Hardware: All Linux
Target Milestone: ---
Assignee: Dave Jones
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2004-08-16 13:24 UTC by Enrico Scholz
Modified: 2015-01-04 22:08 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-01-17 07:58:39 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Enrico Scholz 2004-08-16 13:24:25 UTC
Description of problem:

The 2.6.7-1.494.2.2 kernel is too new for the shipped checkpolicy:

| # make load -C /etc/security/selinux/src/policy
| make: Entering directory `/etc/security/selinux/src/policy'
| /usr/sbin/load_policy /etc/security/selinux/policy.`cat /selinux/policyvers`
| Can't open '/etc/security/selinux/policy.18':  No such file or directory
| make: *** [tmp/load] Error 2
| make: Leaving directory `/etc/security/selinux/src/policy'

| # cat /selinux/policyvers
| 18#
| # checkpolicy -V
| 17 (compatibility range 17-15)

With this kernel I am unable to login via ssh as no PTY can be allocated:

| Aug 16 14:58:04 arundel sshd[2659]: error: openpty: No such file or directory
| Aug 16 14:58:04 arundel sshd[2663]: error: session_pty_req: session 0 alloc failed

/var/log/messages shows hundreds of

| Aug 16 15:13:07 arundel kernel: audit(1092661987.538:0): avc:  denied  { read write } for  pid=2863 exe=/usr/sbin/sshd name=ptyp0 dev=hda5 ino=68251 scontext=system_u:system_r:sshd_t tcontext=system_u:object_r:device_t tclass=chr_file


| # ll -Z /dev/pts -d
| drwxr-xr-x+ root     root     (null)                           /dev/pts
| # ll -Z /dev/pts
| crw-------+ root     tty      system_u:object_r:initrc_devpts_t 0
| crw--w----+ root     tty      root:object_r:sysadm_devpts_t    1

With an older kernel (kernel-2.6.6-1.435.2.3) things are ok.

Version-Release number of selected component (if applicable):


How reproducible:


Comment 1 Enrico Scholz 2004-08-16 14:32:46 UTC
Strange thing is that the first ssh connection after reboot succeeds. Then
I get

| open("/var/log/lastlog", O_RDONLY|O_LARGEFILE) = 9
| _llseek(9, 0, [0], SEEK_SET)            = 0
| read(9, "\317\251 Atty5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 292) = 292
| close(9)                                = 0
| open("/dev/ptmx", O_RDWR)               = -1 EIO (Input/output error)
| open("/dev/ptyp0", O_RDWR)              = -1 ENXIO (No such device or address)
| open("/dev/ptyp1", O_RDWR)              = -1 ENXIO (No such device or address)
| open("/dev/ptyp2", O_RDWR)              = -1 ENXIO (No such device or address)

Comment 2 Enrico Scholz 2004-09-28 19:06:09 UTC
Still with kernel-2.6.8-1.521, and some more information about the tty issue:

when the system comes into this state and I execute a program the
first time, things are fine:

| open("/dev/ptmx", O_RDWR)               = 3

Subsequent executions of the program gives

| open("/dev/ptmx", O_RDWR)               = -1 EIO (Input/output error)

After renaming the program, things are fine again. Btw, this solves
my ssh-login problem also because the EIO error was given to the

The used testprogram was a small modification of the code in libc.info,
sec 17.8.1 "Allocation Pseudo-Terminals"

Comment 3 Enrico Scholz 2004-09-28 19:22:18 UTC
I guess, the bug is related to

| # ls -Z /dev/pts
| crw-------+ root     tty      system_u:object_r:initrc_devpts_t 0

There does not exist a process on this tty.

Comment 4 Jiann-Ming Su 2004-10-12 20:37:01 UTC
I get this error on a newly installed and updated FC2 system.  I got
the latest SELinux packages from
ftp://people.redhat.com/dwalsh/SELinux/Fedora.  I created a new user
and edited the /etc/security/selinux/src/policy/users file.  I tried
running "make -C /etc/security/selinux/src/policy load" and get the
error listed in this bug report.  I'm using kernel 2.6.8-1.521smp.

Comment 5 Jiann-Ming Su 2004-10-13 18:20:16 UTC
I backed off to kernel 2.6.5-1.358smp and SELinux seems happier.

# make -C /etc/security/selinux/
file_contexts  policy.15      policy.16      policy.17      src
[root@booboo root]# make -C /etc/security/selinux/src/policy/
make: Entering directory `/etc/security/selinux/src/policy'
make: Nothing to be done for `install'.
make: Leaving directory `/etc/security/selinux/src/policy'
# cat /selinux/policyvers 
# checkpolicy -V
17 (compatibility range 17-15)

Comment 6 Dave Jones 2004-11-27 22:34:05 UTC
mass update for old bugs:

Is this still a problem in the 2.6.9 based kernel update ?

Note You need to log in before you can comment on or make changes to this bug.