Red Hat Bugzilla – Bug 134111
with SELinux enabled, 1.541 becomes unstable after attempting to write to a reiser partition
Last modified: 2007-11-30 17:10:50 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.3)
Description of problem:
From rawhide-20040927 as well as FC3t2 (both using the same kernel
1.541), I can mount /dev/hda2 (reiser), navigate the fs, cat files,
etc., but, if I try to write to a file or create a ne wone, the
process attempting the write becomes unkillably frozen. Subsequent
syncs immediately, unkillably freeze. Attempts to umount fail.
Attempts to reboot silently fail. If I login on another tty, I get to
the "Last login: ..." line, then my cursor remains blinking on the
next line forever. There is no Oops or other kernel output on the
console, and nothing shows up in dmesg.
At this point, all I can do is power cycle.
If I boot into a kernel that does not experience this problem, I can
read and write to the partition without problems. Changes I make to
the partition do show up when I reboot into FC, but as soon as I try
to make changes in FC, everything freezes again.
If I boot into 1.541 with the argument "selinux=0", I am able to write
to /dev/hda2 normally.
Version-Release number of selected component (if applicable):
Expected Results: If this is an unknown and/or easily-solvable issue
with SELinux and reiser, I would prefer if the issue could be solved.
Barring that, I would prefer if the kernel either disabled the
affected parts of SELinux on reiser partitions, or did not allow
reiser partitions to be mounted rw when SELinux is enabled.
don't use reiserfs like this.
realistically we're not going to be fixing reiserfs so marking this
bug as WONTFIX.
I am not using reiserfs in a strange way; I am simply mounting it and
attempting to use it on a system that happens to have SELinux enabled.
Our installer allowed me to choose to mount /dev/hda2 rw as type
reiser, I did not go behind its back.
The kernel allowed /dev/hda2 to mount rw out of the box, I did not
need to customize any module loading scripts or install any extra
This is a robustness issue and must be addressed, preferably in one of
the three ways above (correct rw operation, disable SELinux on mount,
or prevent reiser partitions from being mounted rw when SELinux is
enabled). A fourth way of addressing it might be to remove the reiser
driver from the distribution, which would be unfortunate for users who
would otherwise choose to use reiser and simply disable SELinux. A
fifth way of addressing it might be to cause our installer to not
offer to mount reiser partitions, which would also be unfortunate for
users who value reiser over SELinux.
Either way, there will be users who value reiser and, as long as we
allow its use, we can not make it easy to destabilize the kernel
through normal use of its features (reiser and SELinux).
We aren't distributing those broken patches to add xattr support to
reiserfs are we? Did they get upstreamed?
we aren't touching reiserfs at all.
btw you missed a 4th way, the most likely way:
If either the fourth or fifth way of addressing this problem is
determined to be the only practical solution, please go ahead with it.
We should not ship a distribution in this state.
Users (which class would include me before this morning) need to be
educated to not use reiser and SELinux at the same time, or they need
to be prevented from doing it, but they can not be allowed to cause
filesystem inconsistency or kernel instability through the normal
actions of enabling SELinux, using reiser, and attempting to write to
a data partition.
Please do not re-close this bug until one of the five methods of
addressing this kernel issue has been decided upon and implemented.
well anaconda doesn't offer you to create a reiserfs partition.
the kernel does not have the task to prevent the sysadmin from
shooting himself in his foot.
Just me asking (because i didn't try it). But if i choose linux
reiserfs at the install point anaconda will/? provide me with reiserfs
as option (at least the same thing happened when i installed FC3T2 on
Created attachment 104848 [details]
Use genfscon to map reiserfs to nfs_t rather than calling xattr handlers
Allow use of reiserfs under SELinux, mapping all inodes to a single type,
rather than trying to call the xattr security handlers in the reiserfs code
that produce deadlock. nfs_t used as the type at Russell's suggestion, since
already allows access for NFS home directories.
reiserfs is available only AS-IS and unsupported. If it breaks, you
get to keep both pieces.
Jeremy - It sounds like anaconda needs to be changed so that without
the reiserfs option, it will refuse to upgrade an existing linux
install on a reiserfs partition.
reiserfs/SELinux deadlock shouldn't be occuring anymore due to policy
change to tell SELinux to not invoke the reiserfs xattr handlers at all.
Is it still occurring? SELinux should just be mapping all reiserfs
inodes to nfs_t at this point.
As an side, recently restarted dialogue with Jeff Mahoney of SuSE
about getting the reiserfs xattr support fixed so that it will work
with SELinux, but don't know what they will be done.
Looks like policy fix went into 1.17.28-2 on Oct 6th. FC3T3 had an
older revision that lacked the change, so expect reiserfs to still
deadlock there. But in FC3 final, it shouldn't be an issue.
The newer policy package should fix this.