Red Hat Bugzilla – Bug 176600
2.6.14 breaks SELinux support for XFS and ReiserFS
Last modified: 2007-11-30 17:11:19 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050811 Fedora/1.7.10-1.1.1.legacy
Description of problem:
When using 2.6.14 with SELinux and the XFS filesystem, SELinux support is broken. Specifically, files are no longer created with the proper context.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Install FC4.
2. Update to the most recent kernel (2.6.14-1.1653_FC4).
Actual Results: I receive a bunch of access-denied messages for hotplug, syslog, and other daemons.
Expected Results: File contexts are set appropriately and applications can access the required files.
It looks like the kernel developers had a discussion about this and semi-intentionally broke SELinux for ReiserFS and XFS.
There is also a patch for XFS here that fixes the problem (although not in the most complete way):
From the mailing list, it looks like a proper fix is scheduled for the 2.6.16 kernel.
There are potential workarounds:
1. Rebuild the kernel with the above patch.
2. Disable selinux or set it to permissive mode until an updated kernel is available.
3. If doing a new install, use JFS or ext3.
To be clear, we were fixing a problem in the security labeling of new inodes.
The patches in question were discussed openly, at least one XFS maintainer (hch)
knew about the patches and actively encouraged us to remove the old hooks
despite potential breakage in order to provide consistent interface/semantics
and said he would fix XFS ASAP (but didn't), and the patches lived in -mm for
some time before going to Linus. The fact that no fix was provided for XFS in
time for 2.6.14 (or 2.6.15) was IMHO not our fault; we warned people about the
issue, and even offered to hold the patch removing the old hooks, but no one
spoke up until after 2.6.14 was already long since released and 2.6.15 was
already at -rc4. We fixed the filesystems we use and test ourselves, and the
JFS maintainers took care of their filesystem in response to the open discussion
of the patches.
reiserfs folks didn't respond, and SELinux support has never been a priority to
them AFAIK. SuSE did some work incorporated into 2.6.12 that allegedly enabled
SELinux to work properly with the reiserfs xattrs (but I do not have any
specific reports of people successfully using SELinux with reiserfs, nor have I
ever tried it); prior to 2.6.12, reiserfs wasn't working with SELinux anyway.
Unlikely that they will take any action to fix it again since SELinux is not
supported by SuSE.
Easiest answer is to disable SELinux if using XFS until 2.6.16.
I would also suggesting contacting the XFS maintainer for clarification of his
intentions and timeframe for upstream fix.
This is a mass-update to all currently open kernel bugs.
A new kernel update has been released (Version: 2.6.15-1.1830_FC4)
based upon a new upstream kernel release.
Please retest against this new kernel, as a large number of patches
go into each upstream release, possibly including changes that
may address this problem.
This bug has been placed in NEEDINFO_REPORTER state.
Due to the large volume of inactive bugs in bugzilla, if this bug is
still in this state in two weeks time, it will be closed.
Should this bug still be relevant after this period, the reporter
can reopen the bug at any time. Any other users on the Cc: list
of this bug can request that the bug be reopened by adding a
comment to the bug.
If this bug is a problem preventing you from installing the
release this version is filed against, please see bug 169613.
Not fixed in 2.6.15-1.1830_FC4.
Per above comments, looks hopeful for 2.6.16.
Yes, xfs workaround is in Linus' tree for 2.6.16.
No fix for reiserfs in sight yet.
Did this ever get fixed in .17 / .18 ?
xfs should work with SELinux for kernels >= 2.6.16.
reiserfs is still not fixed, and no one seems interested in fixing it.
I'd suggest filing this in the upstream kernel.org bugzilla, as it's highly
unlikely anyone at Red Hat is going to fix this due to us not supporting reiserfs.