Bug 149160 - inode labeling race / SELinux
Summary: inode labeling race / SELinux
Keywords:
Status: CLOSED UPSTREAM
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: kernel
Version: 4.0
Hardware: All
OS: Linux
high
medium
Target Milestone: ---
: ---
Assignee: James Morris
QA Contact: Brian Brock
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-02-19 16:44 UTC by James Morris
Modified: 2007-11-30 22:07 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2006-06-02 04:00:29 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description James Morris 2005-02-19 16:44:58 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5) Gecko/20031007

Description of problem:
There is a race in inode labeling where, during inode creation, the inode becomes available to other threads before the LSM post_create hook is called (where SELinux labeling is done).

The purpose of this BZ entry is to track the status of the issue.

Version-Release number of selected component (if applicable):
all current kernels

How reproducible:
Always

Steps to Reproduce:
1.
Using an ext2 or ext3 fs (or likely others with security EAs), run dbench under a very high load.

  

Actual Results:  Sometimes, there will be a race between rmdir and labeling, where a dbench client directory cannot be removed because its inode is yet to be labeled.

Expected Results:  inodes should be labeled before being available to other threads

Additional info:

SELinux has a safe fallback for this situation, by default, unlabeled files are treated with a special label internally.  However, the overall security may be reduced if people deploy looser policies to workaround the denials which may occur.
Note You need to log in before you can comment on or make changes to this bug.