From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050811 Fedora/1.7.10-1.1.1.legacy Description of problem: When using 2.6.14 with SELinux and the XFS filesystem, SELinux support is broken. Specifically, files are no longer created with the proper context. Version-Release number of selected component (if applicable): 2.6.14-1.1653_FC4 How reproducible: Always Steps to Reproduce: 1. Install FC4. 2. Update to the most recent kernel (2.6.14-1.1653_FC4). 3. Reboot. Actual Results: I receive a bunch of access-denied messages for hotplug, syslog, and other daemons. Expected Results: File contexts are set appropriately and applications can access the required files. Additional info: It looks like the kernel developers had a discussion about this and semi-intentionally broke SELinux for ReiserFS and XFS. See: http://marc.theaimsgroup.com/?l=selinux&m=112653995009765&w=2 There is also a patch for XFS here that fixes the problem (although not in the most complete way): http://oss.sgi.com/archives/linux-xfs/2005-12/msg00051.html From the mailing list, it looks like a proper fix is scheduled for the 2.6.16 kernel. There are potential workarounds: 1. Rebuild the kernel with the above patch. 2. Disable selinux or set it to permissive mode until an updated kernel is available. 3. If doing a new install, use JFS or ext3.
To be clear, we were fixing a problem in the security labeling of new inodes. The patches in question were discussed openly, at least one XFS maintainer (hch) knew about the patches and actively encouraged us to remove the old hooks despite potential breakage in order to provide consistent interface/semantics and said he would fix XFS ASAP (but didn't), and the patches lived in -mm for some time before going to Linus. The fact that no fix was provided for XFS in time for 2.6.14 (or 2.6.15) was IMHO not our fault; we warned people about the issue, and even offered to hold the patch removing the old hooks, but no one spoke up until after 2.6.14 was already long since released and 2.6.15 was already at -rc4. We fixed the filesystems we use and test ourselves, and the JFS maintainers took care of their filesystem in response to the open discussion of the patches. reiserfs folks didn't respond, and SELinux support has never been a priority to them AFAIK. SuSE did some work incorporated into 2.6.12 that allegedly enabled SELinux to work properly with the reiserfs xattrs (but I do not have any specific reports of people successfully using SELinux with reiserfs, nor have I ever tried it); prior to 2.6.12, reiserfs wasn't working with SELinux anyway. Unlikely that they will take any action to fix it again since SELinux is not supported by SuSE. Easiest answer is to disable SELinux if using XFS until 2.6.16.
I would also suggesting contacting the XFS maintainer for clarification of his intentions and timeframe for upstream fix.
This is a mass-update to all currently open kernel bugs. A new kernel update has been released (Version: 2.6.15-1.1830_FC4) based upon a new upstream kernel release. Please retest against this new kernel, as a large number of patches go into each upstream release, possibly including changes that may address this problem. This bug has been placed in NEEDINFO_REPORTER state. Due to the large volume of inactive bugs in bugzilla, if this bug is still in this state in two weeks time, it will be closed. Should this bug still be relevant after this period, the reporter can reopen the bug at any time. Any other users on the Cc: list of this bug can request that the bug be reopened by adding a comment to the bug. If this bug is a problem preventing you from installing the release this version is filed against, please see bug 169613. Thank you.
Not fixed in 2.6.15-1.1830_FC4. Per above comments, looks hopeful for 2.6.16.
Yes, xfs workaround is in Linus' tree for 2.6.16. No fix for reiserfs in sight yet.
Did this ever get fixed in .17 / .18 ?
xfs should work with SELinux for kernels >= 2.6.16. reiserfs is still not fixed, and no one seems interested in fixing it.
I'd suggest filing this in the upstream kernel.org bugzilla, as it's highly unlikely anyone at Red Hat is going to fix this due to us not supporting reiserfs.