Bug 161834 - kernel panic after updating to 1.17.30-3.13
kernel panic after updating to 1.17.30-3.13
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
3
i686 Linux
medium Severity high
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-06-27 12:53 EDT by Darren Brierton
Modified: 2007-11-30 17:11 EST (History)
7 users (show)

See Also:
Fixed In Version: 1.17.30-3.16
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-08-19 05:45:45 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
avc denied messags from /var/log/messages for selinux-policy-targeted-1.17.30-3.13 (11.32 KB, text/plain)
2005-06-27 18:39 EDT, Christofer C. Bell
no flags Details

  None (edit)
Description Darren Brierton 2005-06-27 12:53:46 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050513 Fedora/1.0.4-1.3.1 Firefox/1.0.4

Description of problem:
I ran sudo yum update today and selinux-policy-targeted and selinux-policy-targeted-sources were updated and immediately my system became unresponsive and I had to do a hard reboot.

Afterwards I could not boot into FC3 at all. This was the error I got:

audit(1119882959.657:0): avc: denied { execmod } for pid=1 comm=init path=/lib/tls/libc-2.3.5.so dev=hda3 ino=2638668 
scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:shlib_t 
tclass=file
/sbin/init: error while loading shared libraries : /lib/tls/libc.so.6: 
cannot apply additional memory protection after relocation: Permission 
denied
Kernel panic - not syncing: Attempted to kill init!

I rebooted using enforcing=0 (rather than selinux=0) successfully. I then did the following:

su -
rpm -ev selinux-policy-targeted selinux-policy-targeted-sources
rm -fR /etc/selinux/targeted/
rpm -ivh /var/cache/yum/updates-released/packages/selinux-policy-targeted-1.17.30-3.9.noarch.rpm /var/cache/yum/updates-released/packages/selinux-policy-targeted-sources-1.17.30-3.9.noarch.rpm
touch /.autorelabel

and everything worked fine.

Once I was confident that I could easily revert back to a working system, I thought I would try the updated 1.17.30-3.13 packages again. So I removed the cached versions of the packages, downloaded them manually, and then repeated the steps above so that instead of upgrading the packages I did a completely clean install of them. This time the system didn't become unstable but again I couldn't reboot, for exactly the same reason as before.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.17.30-3.13

How reproducible:
Always

Steps to Reproduce:
1. Install selinux-policy-targeted-1.17.30-3.13
2. Reboot.
3.
  

Actual Results:  Kernel panic.

Expected Results:  A bootable system.

Additional info:
Comment 1 Darren Brierton 2005-06-27 12:56:10 EDT
I'm currently running kernel-2.6.11-1.27_FC3.
Comment 2 Stephen Smalley 2005-06-27 13:42:27 EDT
rpm -q -f /lib/tls/libc-2.3.5.so
What is it?  A compatibility library?  Why does it require text relocations?

execmod and execmem need to be allowed universally on FC3 until it is updated
to 2.6.12, as ppc32 systems will otherwise fail due to RWE segments and even
x86 systems will have problems with legacy binaries.

Un-aliasing lib_t, shlib_t, and texrel_shlib_t in a policy update is unsafe; the
kernel has already internally folded them together into a single type on any
incore inodes.
Comment 3 Darren Brierton 2005-06-27 17:20:23 EDT
(In reply to comment #2)
> rpm -q -f /lib/tls/libc-2.3.5.so
> What is it?

$ rpm -qf /lib/tls/libc-2.3.5.so
glibc-2.3.5-0.fc3.1

$ rpm -qf /lib/tls/libc.so.6
glibc-2.3.5-0.fc3.1
Comment 4 Christofer C. Bell 2005-06-27 18:39:24 EDT
Created attachment 116038 [details]
avc denied messags from /var/log/messages for selinux-policy-targeted-1.17.30-3.13

The log messages start approximately 1 hour after the yum update service
installed the new selinux policy on my system.	They continue until my attempts
to shut down the machine failed due to the new policy.	I've since reverted to
the previous version and all issues have resolved.  I believe this to be a bug
with the new policy files.
Comment 5 Arthur Pemberton 2005-06-28 10:08:42 EDT
From /var/log/yum.log:

Jun 27 04:25:18 Updated: selinux-policy-targeted.noarch 1.17.30-3.13
Jun 27 04:26:21 Updated: selinux-policy-targeted-sources.noarch 1.17.30-3.13
------------------------------------------------

Since then things have come tumbling down here are samples of the errors:

Jun 27 04:25:27 Romeo kernel: audit(1119860727.362:0): avc:  denied  { execmod }
for  pid=6990 comm=sendmail path=/lib/tls/libm-2.3.5.so dev=dm-0 ino=5455897
scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:lib_t tclass=file

Jun 27 04:30:01 Romeo kernel: audit(1119861001.392:0): avc:  denied  { execmod }
for  pid=6994 comm=crond path=/lib/libnsl-2.3.5.so dev=dm-0 ino=5455874
scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:lib_t tclass=file

Jun 27 04:30:01 Romeo kernel: audit(1119861001.413:0): avc:  denied  { execmod }
for  pid=6994 comm=crondpath=/lib/libcrypt-2.3.5.sodev=dm-0ino=5455909
scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:lib_t tclass=file

Jun 27 04:53:38 Romeo kernel: audit(1119862418.204:0): avc:  denied  { execmem }
for  pid=4238 comm=mysqld scontext=user_u:system_r:mysqld_t
tcontext=user_u:system_r:mysqld_t tclass=process

Jun 27 08:22:09 Romeo kernel: audit(1119874929.566:0): avc:  denied  { connect }
for  pid=4251 exe=/usr/sbin/httpd scontext=user_u:system_r:httpd_t
tcontext=user_u:system_r:httpd_t tclass=tcp_socket
-------------------------------------------------------------

The most noticeable result of all this is that mysql has died:

050627 07:19:27  mysqld started
050627  7:19:28 [Warning] Asked for 196608 thread stack, but got 126976
050627  7:19:28 [ERROR] Fatal error: Can't change to run as user 'mysql' ; 
Please check that the user exists!

( I still have not been able to figure out where the mysql user dissappeared to ) 

I have since reverted to the previous release and everythign is abck to normal.
Comment 6 Stephen Smalley 2005-06-28 11:25:18 EDT
If anyone is willing to reproduce, please do the following:
- Put the machine into permissive mode first (boot the kernel with enforcing=0
or run setenforce 0 prior to the next step),
- Enable syscall auditing first (boot the kernel with audit=1 or run auditctl -e
1 prior to the next step),
- Clear /var/log/messages,
- Update to the broken policy,
- Collect some audit data in /var/log/messages,
- Try running one of programs that was failing under strace and collect that output,
- Revert to a working policy,
- Reboot.

The main issue that concerns me is why execmod checks are being triggered
here, as they should only occur on attempts to make executable a modified
private file mapping, typically only for text relocations, and thus they
should not be pervasive even given the brokenness of that particular policy.
Comment 7 Stephen Smalley 2005-06-28 14:29:51 EDT
Per bz 161867, the problem only manifested on systems running kernel
2.6.11-1.27_FC3, not on systems running kernel 2.6.11-1.35_FC3.  AFAIK,
SELinux kernel code did not change between these kernels; FC3 kernel carries no
SELinux-related patches and the baseline didn't include any.  Side effect of
another kernel patch, e.g. exec-shield?
Comment 8 Stew Schneider 2005-06-30 19:39:51 EDT
(In reply to comment #6)
> If anyone is willing to reproduce, please do the following:
I added audit=1 to the kernel boot line and set /etc/selinux/config to
permissive. I'm running kernel 2.6.11-1.35_FC3. Last night, I updated to SELinux
policy selinux-policy-targeted.noarch 0:1.17.30-3.15. Prior to that, I had the
kernel panic mentioned once, and was unable to run OpenOffice 1.9x or 1.1 unless
I entered setenforce 0. After following your instructions, I got the following
(edited from /var/log/messages
Jun 30 18:56:37 Lenny kernel: SELinux:  Initializing.
Jun 30 18:56:37 Lenny kernel: SELinux:  Starting in permissive mode
. . .
Jun 30 18:56:37 Lenny kernel: selinux_register_security:  Registering secondary
module capability
Jun 30 18:56:37 Lenny kernel: SELinux:  Registering netfilter hooks
. . .
Jun 30 18:56:38 Lenny kernel: security:  3 users, 4 roles, 343 types, 30 bools
Jun 30 18:56:38 Lenny kernel: security:  55 classes, 14891 rules
Jun 30 18:56:38 Lenny kernel: SELinux:  Completing initialization.
Jun 30 18:56:38 Lenny kernel: SELinux:  Setting up existing superblocks.
Jun 30 18:56:38 Lenny kernel: SELinux: initialized (dev hda2, type ext3), uses xattr
Jun 30 18:56:38 Lenny kernel: SELinux: initialized (dev tmpfs, type tmpfs), uses
transition SIDs
Jun 30 18:56:38 Lenny kernel: SELinux: initialized (dev selinuxfs, type
selinuxfs), uses genfs_contexts
Jun 30 18:56:38 Lenny kernel: SELinux: initialized (dev mqueue, type mqueue),
not configured for labeling
Jun 30 18:56:38 Lenny kernel: SELinux: initialized (dev hugetlbfs, type
hugetlbfs), not configured for labeling
Jun 30 18:56:38 Lenny kernel: SELinux: initialized (dev devpts, type devpts),
uses transition SIDs
Jun 30 18:56:38 Lenny kernel: SELinux: initialized (dev eventpollfs, type
eventpollfs), uses genfs_contexts
Jun 30 18:56:38 Lenny kernel: SELinux: initialized (dev tmpfs, type tmpfs), uses
transition SIDs
Jun 30 18:56:38 Lenny kernel: SELinux: initialized (dev futexfs, type futexfs),
uses genfs_contexts
Jun 30 18:56:38 Lenny kernel: SELinux: initialized (dev pipefs, type pipefs),
uses task SIDs
Jun 30 18:56:38 Lenny kernel: SELinux: initialized (dev sockfs, type sockfs),
uses task SIDs
Jun 30 18:56:38 Lenny kernel: SELinux: initialized (dev proc, type proc), uses
genfs_contexts
Jun 30 18:56:38 Lenny kernel: SELinux: initialized (dev bdev, type bdev), uses
genfs_contexts
Jun 30 18:56:38 Lenny netfs: Mounting other filesystems:  succeeded
Jun 30 18:56:38 Lenny kernel: SELinux: initialized (dev rootfs, type rootfs),
uses genfs_contexts
Jun 30 18:56:38 Lenny kernel: SELinux: initialized (dev sysfs, type sysfs), uses
genfs_contexts
Jun 30 18:56:38 Lenny kernel: SELinux: initialized (dev usbfs, type usbfs), uses
genfs_contexts
. . .
Jun 30 18:56:38 Lenny kernel: SELinux: initialized (dev hda1, type ext3), uses xattr
Jun 30 18:56:38 Lenny kernel: kjournald starting.  Commit interval 5 seconds
Jun 30 18:56:38 Lenny kernel: EXT3 FS on hdb1, internal journal
Jun 30 18:56:38 Lenny kernel: EXT3-fs: mounted filesystem with ordered data mode.
Jun 30 18:56:38 Lenny kernel: SELinux: initialized (dev hdb1, type ext3), uses xattr
Jun 30 18:56:38 Lenny kernel: SELinux: initialized (dev tmpfs, type tmpfs), uses
transition SIDs
Jun 30 18:56:38 Lenny kernel: Adding 779144k swap on /dev/hda3.  Priority:-1
extents:1
Jun 30 18:56:38 Lenny kernel: SELinux: initialized (dev binfmt_misc, type
binfmt_misc), uses genfs_contexts
Jun 30 18:56:38 Lenny kernel: parport0: PC-style at 0x378 (0x778) [PCSPP,TRISTATE]
Jun 30 18:56:38 Lenny kernel: parport0: irq 7 detected
Jun 30 18:56:38 Lenny kernel: parport0: Printer, EPSON Stylus C84
Jun 30 18:56:38 Lenny kernel: Device not ready. Make sure there is a disc in the
drive.
Jun 30 18:56:38 Lenny kernel: Device not ready. Make sure there is a disc in the
drive.
Jun 30 18:56:38 Lenny autofs: automount startup succeeded
Jun 30 18:56:38 Lenny kernel: Device not ready. Make sure there is a disc in the
drive.
Jun 30 18:56:38 Lenny last message repeated 5 times
Jun 30 18:56:38 Lenny kernel: ip_tables: (C) 2000-2002 Netfilter core team
Jun 30 18:56:38 Lenny kernel: ip_conntrack version 2.1 (2560 buckets, 20480 max)
- 272 bytes per conntrack
Jun 30 18:56:38 Lenny kernel: PCI: Found IRQ 10 for device 0000:00:0f.0
Jun 30 18:56:38 Lenny kernel: SELinux: initialized (dev rpc_pipefs, type
rpc_pipefs), uses genfs_contexts
. . .
Jun 30 18:56:58 Lenny rc: Starting readahead:  succeeded
Jun 30 18:56:58 Lenny kernel: audit(1120172218.630:754310): avc:  denied  {
execmod } for  pid=3688 comm=rcd path=/lib/ld-2.3.5.so dev=hda2 ino=798573
scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:ld_so_t tclass=file
Jun 30 18:56:58 Lenny kernel: audit(1120172218.630:754310): syscall=125
per=400000 exit=0 a0=b7ffe000 a1=1000 a2=1 a3=b7fff1b8 items=0 pid=3688
loginuid=-1 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
. . .
Jun 30 18:57:31 Lenny gdm[4105]: gdm_auth_user_add: /home/stewart/.Xauthority
has wrong permissions (should be 0600)
Jun 30 18:57:57 Lenny gconfd (stewart-4333): starting (version 2.8.1), pid 4333
user 'stewart'
Jun 30 18:57:57 Lenny gconfd (stewart-4331): starting (version 2.8.1), pid 4331
user 'stewart'
Jun 30 18:57:57 Lenny gconfd (stewart-4333): Failed to get lock for daemon,
exiting: Failed to lock '/tmp/gconfd-stewart/lock/ior': probably another process
has the lock, or your operating system has NFS file locking misconfigured
(Resource temporarily unavailable)
Jun 30 18:57:58 Lenny gconfd (stewart-4331): Resolved address
"xml:readonly:/etc/gconf/gconf.xml.mandatory" to a read-only configuration
source at position 0
Jun 30 18:57:58 Lenny gconfd (stewart-4331): Resolved address
"xml:readwrite:/home/stewart/.gconf" to a writable configuration source at
position 1
Jun 30 18:57:58 Lenny gconfd (stewart-4331): Resolved address
"xml:readonly:/etc/gconf/gconf.xml.defaults" to a read-only configuration source
at position 2
Jun 30 18:57:59 Lenny kernel: audit(1120172279.751:1094460): avc:  denied  {
execmod } for  pid=4337 comm=gpg path=/usr/bin/gpg dev=hda2 ino=344168
scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:bin_t tclass=file
Jun 30 18:57:59 Lenny kernel: audit(1120172279.751:1094460): syscall=125
per=400000 exit=0 a0=b7f5e000 a1=a2000 a2=5 a3=b7f5ff3e items=0 pid=4337
loginuid=-1 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500
Jun 30 18:58:21 Lenny kernel: NET: Registered protocol family 4
Jun 30 18:58:21 Lenny kernel: NET: Registered protocol family 5

. . .

With SELinux set to permissive, I can run OpenOffice. With it set to enforce, I
cannot. HTH
Comment 9 Stew Schneider 2005-07-03 09:09:47 EDT
A note from another member of our LUG:
Anyway, Now I'm getting this when I try to boot my computer.

avc: denied {execmod} for pid=1 comm=init path=/lib/ld-2.3.5.so dev=hda2
ino=6291464 scontext=user_u:system_r: uconfined_t tcontext=system_u:
object_r:ld_so_t tclass=file



sbin/init:  error while loading shared libraries: /lib/ld-linux.so.2: 
cannot apply additional memory protection after relocation:  Permission
denied

Kernel panic - not syncing:  Attempted to kill init!


I'm running Fedora Core 3 with kernel 2.6.11.11 
Comment 10 Daniel Walsh 2005-07-03 11:20:29 EDT
Fixed in selinux-policy-targeted-1.17.30-3.16
Comment 11 Walter Justen 2005-08-19 05:45:45 EDT
package update is public

Note You need to log in before you can comment on or make changes to this bug.