180179 – kernel-2.6.15-1.1830_FC4 gives SELinux errors on boot

Bug 180179 - kernel-2.6.15-1.1830_FC4 gives SELinux errors on boot

Summary: kernel-2.6.15-1.1830_FC4 gives SELinux errors on boot

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	kernel
Sub Component:
Version:	5
Hardware:	i386
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Dave Jones
QA Contact:	Brian Brock
Docs Contact:
URL:
Whiteboard:	NeedsRetesting
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2006-02-06 16:47 UTC by Matthew Saltzman
Modified:	2015-01-04 22:25 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2007-04-04 21:12:02 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Matthew Saltzman 2006-02-06 16:47:30 UTC

Description of problem:
During startup, 2.6.15 FC4 kernels produce a number of SELinux audit failures
related to hotplug.


Version-Release number of selected component (if applicable):
kernel-2.6.15-1.1830_FC4

How reproducible:
Aways

Steps to Reproduce:
1. Install kernel-2.6.15-1.1830_FC4
2. Boot
3. Watch startup log messages or view dmesg
  
Actual results:
The following audit messages:

audit(1139187977.980:2): avc:  denied  { search } for  pid=579 comm="hotplug"
name="proc" dev=dm-0 ino=851969 scontext=system_u:system_r:hotplug_t
tcontext=system_u:object_r:unlabeled_t tclass=dir
audit(1139187977.988:3): avc:  denied  { search } for  pid=580 comm="hotplug"
name="proc" dev=dm-0 ino=851969 scontext=system_u:system_r:hotplug_t
tcontext=system_u:object_r:unlabeled_t tclass=dir
audit(1139187977.996:4): avc:  denied  { search } for  pid=571 comm="hotplug"
name="proc" dev=dm-0 ino=851969 scontext=system_u:system_r:hotplug_t
tcontext=system_u:object_r:unlabeled_t tclass=dir
audit(1139187978.004:5): avc:  denied  { search } for  pid=581 comm="hotplug"
name="proc" dev=dm-0 ino=851969 scontext=system_u:system_r:hotplug_t
tcontext=system_u:object_r:unlabeled_t tclass=dir
audit(1139187978.012:6): avc:  denied  { search } for  pid=582 comm="hotplug"
name="proc" dev=dm-0 ino=851969 scontext=system_u:system_r:hotplug_t
tcontext=system_u:object_r:unlabeled_t tclass=dir
audit(1139187978.020:7): avc:  denied  { search } for  pid=583 comm="hotplug"
name="proc" dev=dm-0 ino=851969 scontext=system_u:system_r:hotplug_t
tcontext=system_u:object_r:unlabeled_t tclass=dir
audit(1139187978.028:8): avc:  denied  { search } for  pid=584 comm="hotplug"
name="proc" dev=dm-0 ino=851969 scontext=system_u:system_r:hotplug_t
tcontext=system_u:object_r:unlabeled_t tclass=dir
audit(1139187978.036:9): avc:  denied  { search } for  pid=567 comm="hotplug"
name="proc" dev=dm-0 ino=851969 scontext=system_u:system_r:hotplug_t
tcontext=system_u:object_r:unlabeled_t tclass=dir
audit(1139187978.048:10): avc:  denied  { search } for  pid=568 comm="hotplug"
name="proc" dev=dm-0 ino=851969 scontext=system_u:system_r:hotplug_t
tcontext=system_u:object_r:unlabeled_t tclass=dir
audit(1139187978.056:11): avc:  denied  { search } for  pid=569 comm="hotplug"
name="proc" dev=dm-0 ino=851969 scontext=system_u:system_r:hotplug_t
tcontext=system_u:object_r:unlabeled_t tclass=dir
audit(1139187978.068:12): avc:  denied  { search } for  pid=573 comm="hotplug"
name="proc" dev=dm-0 ino=851969 scontext=system_u:system_r:hotplug_t
tcontext=system_u:object_r:unlabeled_t tclass=dir
audit(1139187978.076:13): avc:  denied  { search } for  pid=574 comm="hotplug"
name="proc" dev=dm-0 ino=851969 scontext=system_u:system_r:hotplug_t
tcontext=system_u:object_r:unlabeled_t tclass=dir
audit(1139187978.088:14): avc:  denied  { search } for  pid=575 comm="hotplug"
name="proc" dev=dm-0 ino=851969 scontext=system_u:system_r:hotplug_t
tcontext=system_u:object_r:unlabeled_t tclass=dir
audit(1139187978.100:15): avc:  denied  { search } for  pid=577 comm="hotplug"
name="proc" dev=dm-0 ino=851969 scontext=system_u:system_r:hotplug_t
tcontext=system_u:object_r:unlabeled_t tclass=dir
audit(1139187978.112:16): avc:  denied  { search } for  pid=578 comm="hotplug"
name="proc" dev=dm-0 ino=851969 scontext=system_u:system_r:hotplug_t
tcontext=system_u:object_r:unlabeled_t tclass=dir
audit(1139187978.124:17): avc:  denied  { search } for  pid=586 comm="hotplug"
name="proc" dev=dm-0 ino=851969 scontext=system_u:system_r:hotplug_t
tcontext=system_u:object_r:unlabeled_t tclass=dir
audit(1139187978.136:18): avc:  denied  { search } for  pid=587 comm="hotplug"
name="proc" dev=dm-0 ino=851969 scontext=system_u:system_r:hotplug_t
tcontext=system_u:object_r:unlabeled_t tclass=dir
audit(1139187978.148:19): avc:  denied  { search } for  pid=572 comm="hotplug"
name="proc" dev=dm-0 ino=851969 scontext=system_u:system_r:hotplug_t
tcontext=system_u:object_r:unlabeled_t tclass=dir
audit(1139187978.160:20): avc:  denied  { search } for  pid=570 comm="hotplug"
name="proc" dev=dm-0 ino=851969 scontext=system_u:system_r:hotplug_t
tcontext=system_u:object_r:unlabeled_t tclass=dir
audit(1139187978.176:21): avc:  denied  { search } for  pid=576 comm="hotplug"
name="proc" dev=dm-0 ino=851969 scontext=system_u:system_r:hotplug_t
tcontext=system_u:object_r:unlabeled_t tclass=dir


Expected results:
No audit messages

Additional info:
Started appearing with FC4 2.6.15 kernels.  2.6.14 kernels did not display this
message.

It might be that these messages don't appear in 2.6.14 because they are
suppressed in quiet mode (broken in this kernel at least, as in bug #179919),
but I think they still are problematic.  I'm having issues with USB key drives,
but I haven't tried to isolate that issue yet--seems like it might be related to
this.

Comment 1 Matthew Saltzman 2006-02-06 19:51:30 UTC

Have verified that these messages are supressed in quiet mode, but in non-quiet
mode, they appear with FC4 2.6.14 kernels also.

Comment 2 Stephen Smalley 2006-02-06 20:04:05 UTC

Likely an interleaving of device detection / hotplug execution with the initial
setup of SELinux upon the initial policy load by init.  Not certain as to the
best solution here.

Comment 3 Dave Jones 2006-02-19 05:58:41 UTC

Stephen, would your patch from bug 180296 suppress this ?

Comment 4 Stephen Smalley 2006-02-21 13:22:39 UTC

No, different issue.  In this case (IIUC), the inodes are labeled correctly on
disk, but we are hitting a race between the initial setup of SELinux upon first
policy load by /sbin/init and a hotplug execution, so that hotplug is accessing
inodes before SELinux gets done setting up their incore labels.  This is tricky,
as we have to allow execution of usermode helpers prior to initial policy load
for any setup prior to /sbin/init (e.g. from initrd), but we want to essentially
block them once we initiate a policy load until the entire SELinux setup is
finished.

Comment 5 Dave Jones 2006-09-17 02:51:42 UTC

[This comment added as part of a mass-update to all open FC4 kernel bugs]

FC4 has now transitioned to the Fedora legacy project, which will continue to
release security related updates for the kernel.  As this bug is not security
related, it is unlikely to be fixed in an update for FC4, and has been migrated
to FC5.

Please retest with Fedora Core 5.

Thank you.

Comment 6 Dave Jones 2006-10-16 19:02:57 UTC

A new kernel update has been released (Version: 2.6.18-1.2200.fc5)
based upon a new upstream kernel release.

Please retest against this new kernel, as a large number of patches
go into each upstream release, possibly including changes that
may address this problem.

This bug has been placed in NEEDINFO state.
Due to the large volume of inactive bugs in bugzilla, if this bug is
still in this state in two weeks time, it will be closed.

Should this bug still be relevant after this period, the reporter
can reopen the bug at any time. Any other users on the Cc: list
of this bug can request that the bug be reopened by adding a
comment to the bug.

In the last few updates, some users upgrading from FC4->FC5
have reported that installing a kernel update has left their
systems unbootable. If you have been affected by this problem
please check you only have one version of device-mapper & lvm2
installed.  See bug 207474 for further details.

If this bug is a problem preventing you from installing the
release this version is filed against, please see bug 169613.

If this bug has been fixed, but you are now experiencing a different
problem, please file a separate bug for the new problem.

Thank you.

Note You need to log in before you can comment on or make changes to this bug.