Bug 129990 - kernel-2.6.7-1.494.2.2 breaks SELinux
kernel-2.6.7-1.494.2.2 breaks SELinux
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: kernel (Show other bugs)
2
All Linux
medium Severity medium
: ---
: ---
Assigned To: Dave Jones
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-08-16 09:24 EDT by Enrico Scholz
Modified: 2015-01-04 17:08 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-01-17 02:58:39 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Enrico Scholz 2004-08-16 09:24:25 EDT
Description of problem:

The 2.6.7-1.494.2.2 kernel is too new for the shipped checkpolicy:


| # make load -C /etc/security/selinux/src/policy
| make: Entering directory `/etc/security/selinux/src/policy'
| /usr/sbin/load_policy /etc/security/selinux/policy.`cat /selinux/policyvers`
| Can't open '/etc/security/selinux/policy.18':  No such file or directory
| make: *** [tmp/load] Error 2
| make: Leaving directory `/etc/security/selinux/src/policy'

| # cat /selinux/policyvers
| 18#
| # checkpolicy -V
| 17 (compatibility range 17-15)



With this kernel I am unable to login via ssh as no PTY can be allocated:

| Aug 16 14:58:04 arundel sshd[2659]: error: openpty: No such file or directory
| Aug 16 14:58:04 arundel sshd[2663]: error: session_pty_req: session 0 alloc failed


/var/log/messages shows hundreds of

| Aug 16 15:13:07 arundel kernel: audit(1092661987.538:0): avc:  denied  { read write } for  pid=2863 exe=/usr/sbin/sshd name=ptyp0 dev=hda5 ino=68251 scontext=system_u:system_r:sshd_t tcontext=system_u:object_r:device_t tclass=chr_file

entries.

| # ll -Z /dev/pts -d
| drwxr-xr-x+ root     root     (null)                           /dev/pts
| # ll -Z /dev/pts
| crw-------+ root     tty      system_u:object_r:initrc_devpts_t 0
| crw--w----+ root     tty      root:object_r:sysadm_devpts_t    1


With an older kernel (kernel-2.6.6-1.435.2.3) things are ok.



Version-Release number of selected component (if applicable):

kernel-2.6.7-1.494.2.2
checkpolicy-1.10-1
policy-1.11.3-3


How reproducible:

100%
Comment 1 Enrico Scholz 2004-08-16 10:32:46 EDT
Strange thing is that the first ssh connection after reboot succeeds. Then
I get

| open("/var/log/lastlog", O_RDONLY|O_LARGEFILE) = 9
| _llseek(9, 0, [0], SEEK_SET)            = 0
| read(9, "\317\251 Atty5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 292) = 292
| close(9)                                = 0
| open("/dev/ptmx", O_RDWR)               = -1 EIO (Input/output error)
| open("/dev/ptyp0", O_RDWR)              = -1 ENXIO (No such device or address)
| open("/dev/ptyp1", O_RDWR)              = -1 ENXIO (No such device or address)
| open("/dev/ptyp2", O_RDWR)              = -1 ENXIO (No such device or address)
Comment 2 Enrico Scholz 2004-09-28 15:06:09 EDT
Still with kernel-2.6.8-1.521, and some more information about the tty issue:

when the system comes into this state and I execute a program the
first time, things are fine:

| open("/dev/ptmx", O_RDWR)               = 3


Subsequent executions of the program gives

| open("/dev/ptmx", O_RDWR)               = -1 EIO (Input/output error)


After renaming the program, things are fine again. Btw, this solves
my ssh-login problem also because the EIO error was given to the
testprogram.


The used testprogram was a small modification of the code in libc.info,
sec 17.8.1 "Allocation Pseudo-Terminals"
Comment 3 Enrico Scholz 2004-09-28 15:22:18 EDT
I guess, the bug is related to

| # ls -Z /dev/pts
| crw-------+ root     tty      system_u:object_r:initrc_devpts_t 0

There does not exist a process on this tty.
Comment 4 Jiann-Ming Su 2004-10-12 16:37:01 EDT
I get this error on a newly installed and updated FC2 system.  I got
the latest SELinux packages from
ftp://people.redhat.com/dwalsh/SELinux/Fedora.  I created a new user
and edited the /etc/security/selinux/src/policy/users file.  I tried
running "make -C /etc/security/selinux/src/policy load" and get the
error listed in this bug report.  I'm using kernel 2.6.8-1.521smp.
Comment 5 Jiann-Ming Su 2004-10-13 14:20:16 EDT
I backed off to kernel 2.6.5-1.358smp and SELinux seems happier.

# make -C /etc/security/selinux/
file_contexts  policy.15      policy.16      policy.17      src
[root@booboo root]# make -C /etc/security/selinux/src/policy/
make: Entering directory `/etc/security/selinux/src/policy'
make: Nothing to be done for `install'.
make: Leaving directory `/etc/security/selinux/src/policy'
# cat /selinux/policyvers 
17
# checkpolicy -V
17 (compatibility range 17-15)

Comment 6 Dave Jones 2004-11-27 17:34:05 EST
mass update for old bugs:

Is this still a problem in the 2.6.9 based kernel update ?

Note You need to log in before you can comment on or make changes to this bug.