From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20050922 Fedora/1.0.7-1.1.fc3 Firefox/1.0.7 Description of problem: We need to investigate adding some code to make RHEL4 compatible with MLS filesystem labeling in FC5 and RHEL5, which make use of the extra MLS field. This is fine for FC, as we just use the upstream patch and have MLS enabled, but MLS is not enabled for the RHEL4 kernel and new code needs to be written to try and ignore the MLS field if present. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. Dual boot between FC rawhide and RHEL4 2. 3. Actual Results: You'll see messages like kernel: inode_doinit_with_dentry: context_to_sid(system_u:object_r:boot_t:s0) Expected Results: Just works. Additional info:
Created attachment 123215 [details] Proposed patch This patch causes us to ignore the MLS field from disk if MLS is disabled (I know we disable it at compile time, but just in case someone recompiles the kernel, and to make it clear). We just check that there is another field, but do no validation of the field itself.
Created attachment 123305 [details] Updated patch This patch ensures we only ignore the MLS field when initializing inode security, and not for all contexts in the system. Acked-by: Stephen Smalley <sds.gov>
Even with this fix included you have to make sure that you update your RHES4 kernel before installing FC5 and even more worse this only works for Red Hat alike distributions. All other Selinux enabled distributions that don't have this fix will this break when trying to update a kernel if you have a shared /boot partition.
Other distributions will either need to apply this patch or use a newer upstream kernel (where it is fixed already).
Has this fix gone into a RHEL4 update yet?
It's been posted internall, does not appear to have been applied to the tree yet. Jason, please advise of the status of the patch.
i have it queued for today's build...i'll update the bug when its finally merged. thanks.
committed in stream U4 build 34.14. A test kernel with this patch is available from http://people.redhat.com/~jbaron/rhel4/
I've just tried the 34.14 test kernel with my shared /home which has FC5 file contexts on it. It seems to be working as intended.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2006-0575.html