Bug 176600 - 2.6.14 breaks SELinux support for XFS and ReiserFS
2.6.14 breaks SELinux support for XFS and ReiserFS
Status: CLOSED UPSTREAM
Product: Fedora
Classification: Fedora
Component: kernel (Show other bugs)
6
All Linux
low Severity medium
: ---
: ---
Assigned To: Eric Paris
Brian Brock
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-12-27 05:19 EST by Richard Shaffer
Modified: 2007-11-30 17:11 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-10-04 19:52:08 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Richard Shaffer 2005-12-27 05:19:18 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050811 Fedora/1.7.10-1.1.1.legacy

Description of problem:
When using 2.6.14 with SELinux and the XFS filesystem, SELinux support is broken.  Specifically, files are no longer created with the proper context.

Version-Release number of selected component (if applicable):
2.6.14-1.1653_FC4

How reproducible:
Always

Steps to Reproduce:
1. Install FC4.
2. Update to the most recent kernel (2.6.14-1.1653_FC4).
3. Reboot.
  

Actual Results:  I receive a bunch of access-denied messages for hotplug, syslog, and other daemons.

Expected Results:  File contexts are set appropriately and applications can access the required files.

Additional info:

It looks like the kernel developers had a discussion about this and semi-intentionally broke SELinux for ReiserFS and XFS.

See:
http://marc.theaimsgroup.com/?l=selinux&m=112653995009765&w=2

There is also a patch for XFS here that fixes the problem (although not in the most complete way):
http://oss.sgi.com/archives/linux-xfs/2005-12/msg00051.html

From the mailing list, it looks like a proper fix is scheduled for the 2.6.16 kernel.

There are potential workarounds:
1. Rebuild the kernel with the above patch.
2. Disable selinux or set it to permissive mode until an updated kernel is available.
3. If doing a new install, use JFS or ext3.
Comment 1 Stephen Smalley 2006-01-03 12:52:26 EST
To be clear, we were fixing a problem in the security labeling of new inodes.
The patches in question were discussed openly, at least one XFS maintainer (hch)
knew about the patches and actively encouraged us to remove the old hooks
despite potential breakage in order to provide consistent interface/semantics
and said he would fix XFS ASAP (but didn't), and the patches lived in -mm for
some time before going to Linus.  The fact that no fix was provided for XFS in
time for 2.6.14 (or 2.6.15) was IMHO not our fault; we warned people about the
issue, and even offered to hold the patch removing the old hooks, but no one
spoke up until after 2.6.14 was already long since released and 2.6.15 was
already at -rc4.  We fixed the filesystems we use and test ourselves, and the
JFS maintainers took care of their filesystem in response to the open discussion
of the patches.

reiserfs folks didn't respond, and SELinux support has never been a priority to
them AFAIK.  SuSE did some work incorporated into 2.6.12 that allegedly enabled
SELinux to work properly with the reiserfs xattrs (but I do not have any
specific reports of people successfully using SELinux with reiserfs, nor have I
ever tried it); prior to 2.6.12, reiserfs wasn't working with SELinux anyway. 
Unlikely that they will take any action to fix it again since SELinux is not
supported by SuSE.

Easiest answer is to disable SELinux if using XFS until 2.6.16.
Comment 2 James Morris 2006-01-10 01:04:05 EST
I would also suggesting contacting the XFS maintainer for clarification of his
intentions and timeframe for upstream fix.
Comment 3 Dave Jones 2006-02-03 00:55:33 EST
This is a mass-update to all currently open kernel bugs.

A new kernel update has been released (Version: 2.6.15-1.1830_FC4)
based upon a new upstream kernel release.

Please retest against this new kernel, as a large number of patches
go into each upstream release, possibly including changes that
may address this problem.

This bug has been placed in NEEDINFO_REPORTER state.
Due to the large volume of inactive bugs in bugzilla, if this bug is
still in this state in two weeks time, it will be closed.

Should this bug still be relevant after this period, the reporter
can reopen the bug at any time. Any other users on the Cc: list
of this bug can request that the bug be reopened by adding a
comment to the bug.

If this bug is a problem preventing you from installing the
release this version is filed against, please see bug 169613.

Thank you.
Comment 4 Richard Shaffer 2006-02-03 14:27:32 EST
Not fixed in 2.6.15-1.1830_FC4.

Per above comments, looks hopeful for 2.6.16.
Comment 5 Stephen Smalley 2006-02-03 15:00:12 EST
Yes, xfs workaround is in Linus' tree for 2.6.16.
No fix for reiserfs in sight yet.
Comment 6 Dave Jones 2006-10-02 20:38:31 EDT
Did this ever get fixed in .17 / .18 ?
Comment 7 Stephen Smalley 2006-10-03 09:02:50 EDT
xfs should work with SELinux for kernels >= 2.6.16.
reiserfs is still not fixed, and no one seems interested in fixing it.
Comment 8 Dave Jones 2006-10-04 19:52:08 EDT
I'd suggest filing this in the upstream kernel.org bugzilla, as it's highly
unlikely anyone at Red Hat is going to fix this due to us not supporting reiserfs.

Note You need to log in before you can comment on or make changes to this bug.