Bug 193673 - selinux_sigiotask ltp test fails on RHEL 4
selinux_sigiotask ltp test fails on RHEL 4
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: kernel (Show other bugs)
4.0
x86_64 Linux
medium Severity medium
: ---
: ---
Assigned To: Eric Paris
Brian Brock
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-05-31 11:24 EDT by Mike Gahagan
Modified: 2007-11-30 17:07 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-10-12 11:55:48 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Mike Gahagan 2006-05-31 11:24:57 EDT
Description of problem:

selinux_sigiotask from the 20060505 ltp selinux test suite fails consistantly on
RHEL 4 (2.6.9-37.EL) This is not a regression as it fails on earlier kernels as
well although the exit code is different on older kernels (2.6.9-5 or 22) being
1 rather than 2.

Version-Release number of selected component (if applicable):

RHEL 4 2.6.9-37.EL, 2.6.9-22, 2.6.9-5

How reproducible:

Always on x86_64

Steps to Reproduce:
1. Build/run ltp selinux test suite
2. the test07 from selinux_file test will be the only one that fails
3. This corresponds to
ltp-full-20060515/testcases/kernel/security/selinux-testsuite/tests/file/selinux_sigiotask
  
Actual results:
running from a pseudoterm we get:

runcon -t test_fileop_t -- file/selinux_sigiotask # no output to console

from /var/log/messages:
May 31 11:13:40 dhcp59-204 root: selinux_sigiotask start
May 31 11:13:47 dhcp59-204 kernel: audit(1149088427.264:130): avc:  denied  {
read write } for  pid=6320 comm="selinux_sigiota" name="0" dev=devpts ino=2
scontext=root:sys
tem_r:test_fileop_t tcontext=root:object_r:initrc_devpts_t tclass=chr_file
May 31 11:13:47 dhcp59-204 kernel: audit(1149088427.264:131): avc:  denied  {
use } for  pid=6320 comm="selinux_sigiota" name="0" dev=devpts ino=2
scontext=root:system_r:t
est_fileop_t tcontext=user_u:system_r:initrc_t tclass=fd
May 31 11:13:47 dhcp59-204 kernel: audit(1149088427.264:132): avc:  denied  {
use } for  pid=6320 comm="selinux_sigiota" name="0" dev=devpts ino=2
scontext=root:system_r:t
est_fileop_t tcontext=user_u:system_r:initrc_t tclass=fd
May 31 11:13:47 dhcp59-204 kernel: audit(1149088427.264:133): avc:  denied  {
use } for  pid=6320 comm="selinux_sigiota" name="0" dev=devpts ino=2
scontext=root:system_r:t
est_fileop_t tcontext=user_u:system_r:initrc_t tclass=fd
May 31 11:13:55 dhcp59-204 root: selinux_sigiotask end

Running from a 'real tty - tty1' we get a segfault:

(no useful console output)

May 31 11:16:27 dhcp59-204 root: selinux_sigiotask from console start
May 31 11:16:45 dhcp59-204 kernel: selinux_sigiota[6368]: segfault at
00000000bffffbc2 rip 000000374a96ff20 rsp 0000007fbfffef28 error 4
May 31 11:16:59 dhcp59-204 root: selinux_sigiotask from console end



Expected results:

Test passes.

Additional info:

likely occurs on all other archetectures as well. other arch's not yet been tested.
Comment 2 Mike Gahagan 2006-05-31 11:35:24 EDT
This was also tested with 2.6.9-34.EL. When run from the console (tty1) all
other tests pass.
Comment 3 Eric Paris 2006-06-19 12:48:56 EDT
Just ran with everything on the beta channel including 2.6.9-34.0.1.ELsmp.  
Failed on both an ssh connection and a real tty.

On the real tty just added the rule
allow test_fileop_t user_home_t:dir search;

and it worked fine.

For the ssh terminal added

allow test_fileop_t initrc_devpts_t:chr_file { read write };
allow test_fileop_t initrc_t:fd use;

and it started working.

Going to attempt to figure out what of these I should care about.  It seems as
though the test works fine but is having some access problems to either files it
needs or the console....
Comment 4 Eric Paris 2006-06-19 13:26:42 EDT
  fd = open(ctermid(NULL), O_RDWR, 0);

  if(fd == -1) {
    perror("selinux_sigiotask:open");
    exit(2);
  }

without allow test_fileop_t initrc_devpts_t:chr_file { read write }; the open
fails so it exits with 2.   My guess is that pre-u2 policy (where initrc was
introduced) we may have been failing with different errors....
Comment 5 Eric Paris 2006-06-19 13:28:06 EDT
so I'd say this is an LTP problem.  not kernel
Comment 6 Mike Gahagan 2006-06-19 16:08:21 EDT
We failed with an exit 1 in GA, I did not try U1. 

I agree this is not a kernel problem at this point. Do you think this is a
worthwhile test with the policy change?

Comment 7 Eric Paris 2006-06-28 12:56:48 EDT
I think adding permissions to talk to the console is reasonable if it's broken
in the reference policy i think a bug should be filed with LTP.
Comment 8 Eric Paris 2007-10-12 11:55:48 EDT
Mike haven't heard anything in a while, going to close notabug you can reopen if
you need a BZ to handle the policy change (but i doubt you do)

Note You need to log in before you can comment on or make changes to this bug.