Bug 166404 - Selinux prevents mounting of capifs dunring boot
Selinux prevents mounting of capifs dunring boot
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: kernel (Show other bugs)
4
i386 Linux
medium Severity high
: ---
: ---
Assigned To: Dave Jones
Brian Brock
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-08-20 11:39 EDT by Christoph Wickert
Modified: 2015-01-04 17:21 EST (History)
4 users (show)

See Also:
Fixed In Version: kernel-2.6.13-1.1526_FC4
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-10-01 17:31:22 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
/var/log/messages from boot with enabled selinux (344.19 KB, text/plain)
2005-08-20 11:42 EDT, Christoph Wickert
no flags Details
/var/log/messages from a boot with permissive selinux (62.53 KB, text/plain)
2005-08-20 11:42 EDT, Christoph Wickert
no flags Details
Patch submitted upstream (649 bytes, patch)
2005-08-27 12:27 EDT, James Morris
no flags Details | Diff

  None (edit)
Description Christoph Wickert 2005-08-20 11:39:22 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; de-DE; rv:1.7.10) Gecko/20050720 Fedora/1.0.6-1.1.fc4 Firefox/1.0.6

Description of problem:
I have successfully installed an AVM Fritzcard PCI with CAPI. CAPI works fine as long as selinux is disabled or in permissive mode.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.25.3-12

How reproducible:
Always

Steps to Reproduce:
1. echo "modprobe capifs " > /etc/sysconfig/modules/capi.modules
2. chmod +x  /etc/sysconfig/modules/capi.modules
3. reboot
  

Actual Results:  The computer oopses while trying to modprobe capifs. Another 117 (!) oopses during boot (see attached messages.enforcing-1), not able to login then (oops, he did it again), so I have to reboot with entforcing=0 and disable /etc/sysconfig/modules/capi.modules

Aug 20 16:11:06 hal9000 kernel: SELinux: initialized (dev capifs, type capifs), not configured for labeling
Aug 20 16:11:06 hal9000 kernel: audit(1124554245.343:2): avc:  denied  { mount } for  pid=1107 comm="modprobe" name="/" dev=capifs ino=1 scontext=system_u:system_r:insmod_t tcontext=system_u:object_r:unlabeled_t tclass=filesystem
Aug 20 16:11:06 hal9000 kernel: Unable to handle kernel paging request at virtual address e0e004c0
Aug 20 16:11:06 hal9000 kernel:  printing eip:
Aug 20 16:11:06 hal9000 kernel: c01a1cf1
Aug 20 16:11:06 hal9000 kernel: *pde = 1d9c7067
Aug 20 16:11:06 hal9000 kernel: Oops: 0000 [#1]

(from attached messages.enforcing-1)

Expected Results:  Computer should boot normal and capifs should be loaded. In permissive Mode it looks like this:
Aug 20 16:15:27 hal9000 kernel: SELinux: initialized (dev capifs, type capifs), not configured for labeling
Aug 20 16:15:27 hal9000 kernel: audit(1124554514.755:2): avc:  denied  { mount } for  pid=1616 comm="modprobe" name="/" dev=capifs ino=1 scontext=system_u:system_r:insmod_t tcontext=system_u:object_r:unlabeled_t tclass=filesystem
Aug 20 16:15:27 hal9000 kernel: capifs: Rev 1.1.2.3

(from attached messages.enforcing-0)

Additional info:

After bootup I can modprobe capifs or run capiinit as root without any problems, only modprobing capifs or running capiinit from an initscript at boot causes oopses.
Comment 1 Christoph Wickert 2005-08-20 11:42:19 EDT
Created attachment 117945 [details]
/var/log/messages from boot with enabled selinux
Comment 2 Christoph Wickert 2005-08-20 11:42:52 EDT
Created attachment 117946 [details]
/var/log/messages from a boot with permissive selinux
Comment 3 Daniel Walsh 2005-08-22 09:35:38 EDT
I will add capifs support to policy, but the kernel should not be oopsing. 
Transfering bug to kernel.
Comment 4 James Morris 2005-08-26 20:44:31 EDT
Looks like a bug in capifs.  It doesn't call unregister_filesystem() when
kern_mount() fails during initialization.
Comment 5 James Morris 2005-08-27 12:27:21 EDT
Created attachment 118189 [details]
Patch submitted upstream
Comment 6 Dave Jones 2005-09-23 22:12:14 EDT
fixed in updates-testing
Comment 7 Dave Jones 2005-09-30 02:28:13 EDT
Mass update to all FC4 bugs:

An update has been released (2.6.13-1.1526_FC4) which rebases to a new upstream
kernel (2.6.13.2). As there were ~3500 changes upstream between this and the
previous kernel, it's possible your bug has been fixed already.

Please retest with this update, and update this bug if necessary.

Thanks.
Comment 8 Christoph Wickert 2005-10-01 17:31:22 EDT
For me the bug was fixed with selinux-policy-targeted-1.25.4-10 which added
capifs support. I tried to reproduce the bug with an older version of
selinux-policy-targted and kernel-2.6.12-1.1447_FC4, kernel-2.6.12-1.1456_FC4
and current kernel-2.6.13-1.1526_FC4. No more oopses, so I going to close this
bug now.

Note You need to log in before you can comment on or make changes to this bug.