Bug 177439 - SELinux MLS compatibility
SELinux MLS compatibility
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: kernel (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: James Morris
Brian Brock
Depends On:
Blocks: 181409
  Show dependency treegraph
Reported: 2006-01-10 13:04 EST by James Morris
Modified: 2007-11-30 17:07 EST (History)
4 users (show)

See Also:
Fixed In Version: RHSA-2006-0575
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-08-10 17:51:08 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Proposed patch (796 bytes, patch)
2006-01-15 10:35 EST, James Morris
no flags Details | Diff
Updated patch (4.03 KB, patch)
2006-01-17 11:29 EST, James Morris
no flags Details | Diff

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2006:0575 normal SHIPPED_LIVE Important: Updated kernel packages available for Red Hat Enterprise Linux 4 Update 4 2006-08-10 00:00:00 EDT

  None (edit)
Description James Morris 2006-01-10 13:04:59 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20050922 Fedora/1.0.7-1.1.fc3 Firefox/1.0.7

Description of problem:
We need to investigate adding some code to make RHEL4 compatible with MLS filesystem labeling in FC5 and RHEL5, which make use of the extra MLS field.

This is fine for FC, as we just use the upstream patch and have MLS enabled, but MLS is not enabled for the RHEL4 kernel and new code needs to be written to try and ignore the MLS field if present.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Dual boot between FC rawhide and RHEL4

Actual Results:  You'll see messages like

kernel: inode_doinit_with_dentry:  context_to_sid(system_u:object_r:boot_t:s0)

Expected Results:  Just works.

Additional info:
Comment 1 James Morris 2006-01-15 10:35:34 EST
Created attachment 123215 [details]
Proposed patch

This patch causes us to ignore the MLS field from disk if MLS is disabled (I
know we disable it at compile time, but just in case someone recompiles the
kernel, and to make it clear).

We just check that there is another field, but do no validation of the field
Comment 2 James Morris 2006-01-17 11:29:35 EST
Created attachment 123305 [details]
Updated patch

This patch ensures we only ignore the MLS field when initializing inode
security, and not for all contexts in the system.

Acked-by:  Stephen Smalley <sds@tycho.nsa.gov>
Comment 4 Bernd Bartmann 2006-01-18 15:23:16 EST
Even with this fix included you have to make sure that you update your RHES4
kernel before installing FC5 and even more worse this only works for Red Hat
alike distributions. All other Selinux enabled distributions that don't have
this fix will this break when trying to update a kernel if you have a shared
/boot partition.
Comment 5 James Morris 2006-01-18 15:37:26 EST
Other distributions will either need to apply this patch or use a newer upstream
kernel (where it is fixed already).
Comment 6 Stephen Smalley 2006-04-06 08:12:26 EDT
Has this fix gone into a RHEL4 update yet?
Comment 7 James Morris 2006-04-06 08:58:51 EDT
It's been posted internall, does not appear to have been applied to the tree yet.

Jason, please advise of the status of the patch.
Comment 8 Jason Baron 2006-04-06 13:41:41 EDT
i have it queued for today's build...i'll update the bug when its finally
merged. thanks.
Comment 9 Jason Baron 2006-04-06 21:38:03 EDT
committed in stream U4 build 34.14. A test kernel with this patch is available
from http://people.redhat.com/~jbaron/rhel4/
Comment 10 Ron Yorston 2006-04-07 14:35:25 EDT
I've just tried the 34.14 test kernel with my shared /home which has FC5 file
contexts on it.  It seems to be working as intended.
Comment 14 Red Hat Bugzilla 2006-08-10 17:51:10 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.