Bug 174317 - XFS incompatible with SELinux.
XFS incompatible with SELinux.
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: kernel (Show other bugs)
4
i686 Linux
medium Severity medium
: ---
: ---
Assigned To: Eric Paris
Brian Brock
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-11-27 15:56 EST by Ronny Fischer
Modified: 2008-08-02 19:40 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-07-29 00:53:52 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ronny Fischer 2005-11-27 15:56:37 EST
From Bugzilla Helper:
User-Agent: Opera/8.51 (X11; Linux i686; U; de)

Description of problem:
After upgrading from kernel 2.6.13-1.1532 to 2.6.14-1.1637 the system hangs when 
booting the new kernel. Specifically it is not starting the syslog daemon.

Disabling SELinux resolves this, but this is quiet not good for practice.

Version-Release number of selected component (if applicable):
kernel-2.6.14-1.1637

How reproducible:
Always

Steps to Reproduce:
1. boot with FC4 (2.6.14-1-1637)
2. wait for starting syslog daemon
3. nothing
  

Actual Results:  FC4 stops further boot process and can only be terminated through reset.

Additional info:

FC4 runs on a laptop with Intel Pentium M 1.73, 1GB RAM.
Comment 1 Dave Jones 2005-11-28 14:59:55 EST
did you also update your selinux-policy-targeted rpm to the latest ?
Comment 2 Ronny Fischer 2005-11-29 05:27:17 EST
An update to the latest selinux-policy-targeted rpm
(selinux-policy-targeted-1.27.1-2.14) doesn't make any difference.
Comment 3 Daniel Walsh 2005-11-29 10:26:22 EST
Please run with SELinux enabled but enforcing=0.  This will run in permissive
mode and allow you to run normally but collect AVC messages.

Then submit the AVC messages?  This sounds like the /dev/log file has the wrong
context on it.  This should be setup by udev.

You will need to relabel the system now that you have run without SELinux.

touch /.autorelabel
reboot
Comment 4 Ronny Fischer 2005-11-30 03:14:18 EST
As requested, here are the avc messages taken with "#dmesg | grep avc" I hope
this will help you.

audit(1133337280.519:2): avc:  denied  { read } for  pid=1568 comm="swapon"
name="blkid.tab" dev=sda7 ino=4202658 scontext=system_u:system_r:fsadm_t
tcontext=system_u:object_r:file_t tclass=file
audit(1133337280.519:3): avc:  denied  { getattr } for  pid=1568 comm="swapon"
name="blkid.tab" dev=sda7 ino=4202658 scontext=system_u:system_r:fsadm_t
tcontext=system_u:object_r:file_t tclass=file
audit(1133337287.603:4): avc:  denied  { getattr } for  pid=1889 comm="syslogd"
name="syslogd.pid" dev=sda7 ino=5246580 scontext=system_u:system_r:syslogd_t
tcontext=system_u:object_r:file_t tclass=file
audit(1133337287.603:5): avc:  denied  { lock } for  pid=1889 comm="syslogd"
name="syslogd.pid" dev=sda7 ino=5246580 scontext=system_u:system_r:syslogd_t
tcontext=system_u:object_r:file_t tclass=file
audit(1133337287.603:6): avc:  denied  { write } for  pid=1889 comm="syslogd"
name="syslogd.pid" dev=sda7 ino=5246580 scontext=system_u:system_r:syslogd_t
tcontext=system_u:object_r:file_t tclass=file
audit(1133337287.787:7): avc:  denied  { getattr } for  pid=1891 comm="klogd"
name="klogd.pid" dev=sda7 ino=5246659 scontext=system_u:system_r:klogd_t
tcontext=system_u:object_r:file_t tclass=file
audit(1133337287.787:8): avc:  denied  { lock } for  pid=1891 comm="klogd"
name="klogd.pid" dev=sda7 ino=5246659 scontext=system_u:system_r:klogd_t
tcontext=system_u:object_r:file_t tclass=file
audit(1133337287.787:9): avc:  denied  { write } for  pid=1891 comm="klogd"
name="klogd.pid" dev=sda7 ino=5246659 scontext=system_u:system_r:klogd_t
tcontext=system_u:object_r:file_t tclass=file
audit(1133337288.663:10): avc:  denied  { write } for  pid=1910 comm="auditd"
name="auditd.pid" dev=sda7 ino=5246680 scontext=system_u:system_r:auditd_t
tcontext=system_u:object_r:file_t tclass=file
Comment 5 Daniel Walsh 2005-11-30 07:17:01 EST
You need to relabel your system.  file_t indicates that you have a file system
that was never labeled or you ran a system without selinux enabled at some
point.  You neet to 

touch /.autorelabel
reboot

Comment 6 Ronny Fischer 2005-12-02 17:16:03 EST
Excuse me please, but relabeling in the way you say doesn't work. The kernel
still hangs up at the same point. This also happens with the latest kernel
2.6.14-1.1644.
For your interest, SELinux ran (and is still running) from original shipped FC4
kernel 2.6.11-1.1369 till my actual kernel 2.6.13-1.1532 even through updates
without relabeling the filesystem or configuring anything else.
Comment 7 Daniel Walsh 2005-12-06 11:04:23 EST
What avc messages are you seeing now that you relabeled?

file_t should only happen on a badly labeled file system.
Comment 8 Ronny Fischer 2005-12-06 16:16:47 EST
Running SELinux in Permissive Mode now and having relabeled the fs gives me the
following avc mesages:

audit(1133907018.576:2): avc:  denied  { read } for  pid=392 comm="hotplug"
name="mtab" dev=sda7 ino=4206076 scontext=system_u:system_r:hotplug_t
tcontext=system_u:object_r:file_t tclass=file
audit(1133907018.576:3): avc:  denied  { getattr } for  pid=392 comm="hotplug"
name="mtab" dev=sda7 ino=4206076 scontext=system_u:system_r:hotplug_t
tcontext=system_u:object_r:file_t tclass=file
audit(1133903439.868:4): avc:  denied  { read } for  pid=1486 comm="fsck"
name="blkid.tab" dev=sda7 ino=4201631 scontext=system_u:system_r:fsadm_t
tcontext=system_u:object_r:file_t tclass=file
audit(1133903439.868:5): avc:  denied  { getattr } for  pid=1486 comm="fsck"
name="blkid.tab" dev=sda7 ino=4201631 scontext=system_u:system_r:fsadm_t
tcontext=system_u:object_r:file_t tclass=file
audit(1133903635.204:6): avc:  denied  { getattr } for  pid=1588 comm="swapon"
name="blkid.tab-PwS8Y2" dev=sda7 ino=4226282 scontext=system_u:system_r:fsadm_t
tcontext=system_u:object_r:file_t tclass=file
audit(1133903635.204:7): avc:  denied  { setattr } for  pid=1588 comm="swapon"
name="blkid.tab-PwS8Y2" dev=sda7 ino=4226282 scontext=system_u:system_r:fsadm_t
tcontext=system_u:object_r:file_t tclass=file
audit(1133903635.204:8): avc:  denied  { write } for  pid=1588 comm="swapon"
name="blkid.tab-PwS8Y2" dev=sda7 ino=4226282 scontext=system_u:system_r:fsadm_t
tcontext=system_u:object_r:file_t tclass=file
audit(1133903635.204:9): avc:  denied  { rename } for  pid=1588 comm="swapon"
name="blkid.tab-PwS8Y2" dev=sda7 ino=4226282 scontext=system_u:system_r:fsadm_t
tcontext=system_u:object_r:file_t tclass=file
audit(1133903635.204:10): avc:  denied  { read } for  pid=1588 comm="swapon"
name="blkid.tab" dev=sda7 ino=4226282 scontext=system_u:system_r:fsadm_t
tcontext=system_u:object_r:file_t tclass=file
audit(1133903642.097:11): avc:  denied  { getattr } for  pid=1909 comm="syslogd"
name="syslogd.pid" dev=sda7 ino=5246578 scontext=system_u:system_r:syslogd_t
tcontext=system_u:object_r:file_t tclass=file
audit(1133903642.097:12): avc:  denied  { lock } for  pid=1909 comm="syslogd"
name="syslogd.pid" dev=sda7 ino=5246578 scontext=system_u:system_r:syslogd_t
tcontext=system_u:object_r:file_t tclass=file
audit(1133903642.097:13): avc:  denied  { write } for  pid=1909 comm="syslogd"
name="syslogd.pid" dev=sda7 ino=5246578 scontext=system_u:system_r:syslogd_t
tcontext=system_u:object_r:file_t tclass=file
audit(1133903642.201:14): avc:  denied  { getattr } for  pid=1911 comm="klogd"
name="klogd.pid" dev=sda7 ino=5246580 scontext=system_u:system_r:klogd_t
tcontext=system_u:object_r:file_t tclass=file
audit(1133903642.201:15): avc:  denied  { lock } for  pid=1911 comm="klogd"
name="klogd.pid" dev=sda7 ino=5246580 scontext=system_u:system_r:klogd_t
tcontext=system_u:object_r:file_t tclass=file
audit(1133903642.201:16): avc:  denied  { write } for  pid=1911 comm="klogd"
name="klogd.pid" dev=sda7 ino=5246580 scontext=system_u:system_r:klogd_t
tcontext=system_u:object_r:file_t tclass=file
audit(1133903642.853:17): avc:  denied  { write } for  pid=1930 comm="auditd"
name="auditd.pid" dev=sda7 ino=5246658 scontext=system_u:system_r:auditd_t
tcontext=system_u:object_r:file_t tclass=file

this is now for the actual kernel release 2.6.14-1.1644_FC4.
Comment 9 Daniel Walsh 2005-12-07 12:11:55 EST
What is the file system that has /etc/mtab on it?

You still have a labeling problem, and I think the problem is an unsupported
file system.

Dan
Comment 10 Ronny Fischer 2005-12-07 15:10:06 EST
Filesystem of /etc/mtab is xfs. Just /boot is ext3.

I can't believe that this is just depending on the fs. I mean, this problem
occurs only on kernel 2.6.14, not earlier. Kernel updates before this time
worked very well without any error and till this error SELinux was enabled and
working at every time.
Comment 11 Ronny Fischer 2005-12-07 15:10:50 EST
Filesystem of /etc/mtab is xfs. Just /boot is ext3.

I can't believe that this is just depending on the fs. I mean, this problem
occurs only on kernel 2.6.14, not earlier. Kernel updates before this time
worked very well without any error and till this error SELinux was enabled and
working at every time.
Comment 12 Daniel Walsh 2005-12-07 16:04:08 EST
I saw someone report that the latest kernels have a problem with xfs and
extended attributes.  Basically SELinux relies on xtended attributes and if they
are wrong nothing will work.
Comment 13 Ronny Fischer 2005-12-09 08:04:47 EST
So this means I have to wait till this problem is fixed in the kernel? Or is 
there any method to manipulate the xfs xtended attributes to fix this 
temporarily?

I had a look on the bug report of the other one, it seemed to me that his error 
is nearly the same as mine.

Thanks for your help so far, I hope you can manage it sometimes.
Comment 14 Daniel Walsh 2006-01-02 12:30:38 EST
You will have to wait til XFS support is fixed in the kernel
Comment 15 Dave Jones 2006-02-03 01:02:58 EST
This is a mass-update to all currently open kernel bugs.

A new kernel update has been released (Version: 2.6.15-1.1830_FC4)
based upon a new upstream kernel release.

Please retest against this new kernel, as a large number of patches
go into each upstream release, possibly including changes that
may address this problem.

This bug has been placed in NEEDINFO_REPORTER state.
Due to the large volume of inactive bugs in bugzilla, if this bug is
still in this state in two weeks time, it will be closed.

Should this bug still be relevant after this period, the reporter
can reopen the bug at any time. Any other users on the Cc: list
of this bug can request that the bug be reopened by adding a
comment to the bug.

If this bug is a problem preventing you from installing the
release this version is filed against, please see bug 169613.

Thank you.
Comment 16 Ronny Fischer 2006-02-04 06:16:08 EST
The problem is still there with the latest kernel 2.6.15_1.1830.

After installing the kernel, I set up SELinux back to ENFORCING and relabeled
the file system. After that, the same errors mentioned here in this thread
occured during the boot process.
When setting SELinux back to mode PERMISSIVE (with another relabeling), the
system works well, but without real SELinux protection.
Comment 17 Ronny Fischer 2006-02-10 01:46:07 EST
If XFS is incompatible with SELinux, why did it work with earlier Kernels until 
2.6.13?
Comment 18 Daniel Walsh 2006-02-10 09:01:43 EST
Changes in some of the patches broke the extended attribute support of XFS.  I
am not a kernel engineer, so I do not know exactly what broke.

Dan
Comment 19 Ronny Fischer 2006-02-11 16:15:58 EST
Thanks for this information, I appreciate the help you provided.
Hope this bug won't stay unresolved for too long.
Comment 20 Dave Jones 2006-05-29 00:32:09 EDT
This should be fixed in the 2.6.16 based kernel updates.
Comment 21 Ronny Fischer 2006-06-02 02:25:13 EDT
Awright, will check it with FC5 and latest kernel-release.

Thx a lot
Comment 22 Ronny Fischer 2006-06-02 02:25:53 EDT
Awright, will check it with FC5 and latest kernel-release.

Thx a lot
Comment 23 Dave Jones 2006-07-29 00:53:52 EDT
Should be fixed. Reopen if still a problem.
 

Note You need to log in before you can comment on or make changes to this bug.