Bug 1300472 - 32bit libselinux on 64bit system produces invalid result for is_selinux_enabled()
32bit libselinux on 64bit system produces invalid result for is_selinux_enabl...
Status: CLOSED DUPLICATE of bug 1158963
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: libselinux (Show other bugs)
6.7
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Petr Lautrbach
BaseOS QE Security Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-01-20 18:48 EST by tpacyga
Modified: 2016-01-21 02:19 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-01-21 02:19:49 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Proposed patch for libselinux (486 bytes, patch)
2016-01-20 18:48 EST, tpacyga
no flags Details | Diff

  None (edit)
Description tpacyga 2016-01-20 18:48:04 EST
Created attachment 1116738 [details]
Proposed patch for libselinux

Description of problem:

Running the 32bit libselinux library on a 64bit RHEL 6.7 system (don't ask) causes is_selinux_enabled() to return a 0 even when selinux is enabled. After some digging, I noticed that manually building libselinux without any optimization flags set causes everything to work as intended. After further digging, I traced the problem down to the -ftree-vrp flag (part of -O2). I also noticed that with warnings turned on I was getting complaints about a potentially uninitialized variable on line 319 of seusers.c. Moving line 274 up 2 lines fixes the problem (see libselinux.patch attachment). Now it works with all the normal optimization flags (-O2).

Version-Release number of selected component (if applicable):

RHEL 6.7 x86_64 system running libselinux-2.0.94-5.8 i686

How to reproduce:

Just looking at the patch should be clear. In src/seusers.c it is possible to have asprintf at line 272 fail, thus causing the goto err on line 273, at which point fp was never initialized. Moving the fopen on line 274 before line 272 would fix the issue.

Now if one would actually want to reproduce the error:
1) Install a 64bit RHEL 6.7 minimal install.
2) Install the 32 bit version of libselinux-2.0.94-5.8 along with the 32 bit version of libselinux-devel-2.0.94-5.8.
3) Write a simple test program that uses is_selinux_enabled():

#include <selinux/selinux.h>
#include <stdio.h>

int main() {
    printf("is_selinux_enabled(): %d", is_selinux_enabled());
}

4) Compile for 32bit "gcc test.c -lselinux -m32"
5) If starting up in permissive mode, should return 0 (I have had it return correctly in enforcing mode sometimes), however even in permissive should still return 1 as compared to a standard setup. getenforce will also show disabled even though in permissive mode (even if you do a setenforce 1).
5) Rebuilding the package from source without optimization flags fixes the issue as does applying the patch. May need to specify some env variables to make (make LIBDIR=/usr/lib LDFLAGS=-m32 CFLAGS=-m32).

Even if you have trouble reproducing this (I realize it is an uncommon scenario), I think it should be clear enough from the patch that the code is incorrect as is and this should be a simple fix.

Thanks,
Ted
Comment 2 Petr Lautrbach 2016-01-21 02:19:49 EST
Thank you for the report. This is the kernel issue which will be fixed in the next update.

*** This bug has been marked as a duplicate of bug 1158963 ***

Note You need to log in before you can comment on or make changes to this bug.