Red Hat Bugzilla – Bug 177439
SELinux MLS compatibility
Last modified: 2007-11-30 17:07:22 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20050922 Fedora/1.0.7-1.1.fc3 Firefox/1.0.7
Description of problem:
We need to investigate adding some code to make RHEL4 compatible with MLS filesystem labeling in FC5 and RHEL5, which make use of the extra MLS field.
This is fine for FC, as we just use the upstream patch and have MLS enabled, but MLS is not enabled for the RHEL4 kernel and new code needs to be written to try and ignore the MLS field if present.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Dual boot between FC rawhide and RHEL4
Actual Results: You'll see messages like
kernel: inode_doinit_with_dentry: context_to_sid(system_u:object_r:boot_t:s0)
Expected Results: Just works.
Created attachment 123215 [details]
This patch causes us to ignore the MLS field from disk if MLS is disabled (I
know we disable it at compile time, but just in case someone recompiles the
kernel, and to make it clear).
We just check that there is another field, but do no validation of the field
Created attachment 123305 [details]
This patch ensures we only ignore the MLS field when initializing inode
security, and not for all contexts in the system.
Acked-by: Stephen Smalley <email@example.com>
Even with this fix included you have to make sure that you update your RHES4
kernel before installing FC5 and even more worse this only works for Red Hat
alike distributions. All other Selinux enabled distributions that don't have
this fix will this break when trying to update a kernel if you have a shared
Other distributions will either need to apply this patch or use a newer upstream
kernel (where it is fixed already).
Has this fix gone into a RHEL4 update yet?
It's been posted internall, does not appear to have been applied to the tree yet.
Jason, please advise of the status of the patch.
i have it queued for today's build...i'll update the bug when its finally
committed in stream U4 build 34.14. A test kernel with this patch is available
I've just tried the 34.14 test kernel with my shared /home which has FC5 file
contexts on it. It seems to be working as intended.
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.