Bug 203801 - LSPP- 'newrole' SELinux command getting 'SIGPIPE' with 40000 Chars
LSPP- 'newrole' SELinux command getting 'SIGPIPE' with 40000 Chars
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: policycoreutils (Show other bugs)
5.0
s390x Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-08-23 15:47 EDT by IBM Bug Proxy
Modified: 2007-11-30 17:07 EST (History)
4 users (show)

See Also:
Fixed In Version: beta2
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-12-22 19:04:06 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
strace of newrole command (25.96 KB, text/plain)
2006-08-23 15:52 EDT, IBM Bug Proxy
no flags Details
ltrace of newrole command (3.49 KB, text/plain)
2006-08-23 15:53 EDT, IBM Bug Proxy
no flags Details
libselinux patch to address this bug in general (2.24 KB, application/binary)
2006-09-11 11:51 EDT, Stephen Smalley
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
IBM Linux Technology Center 26566 None None None Never

  None (edit)
Description IBM Bug Proxy 2006-08-23 15:47:00 EDT
LTC Owner is: srinivds@in.ibm.com
LTC Originator is: nasastry@in.ibm.com


---Problem Description---
Getting SIGPIPE when 40000 characters passing as arguments to the 'newrole'
SELinux command
 
Contact Information = nasastry@in.ibm.com
 
---uname output---
Linux HOSTNAME 2.6.17-1.2473.el5 #1 SMP Fri Jul 28 18:14:57 EDT 2006 s390x s390x
s390x GNU/Linux
 
Machine Type = 2066
 
---Debugger---
A debugger is not configured
 
---Steps to Reproduce---
Run the following command.
# b=`perl -e "print 'A'x40000"` ; newrole -r system_r$b -t unconfined_t$b -- -c ls$b
Authenticating root.
Password: xxxxxxxx
# echo $?
141        <-----128+13=141 (13 stands for SIGPIPE)
 
---Base System Tools Component Data--- 
/etc/selinux/config output: # cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - SELinux is fully disabled.
SELINUX=enforcing
# SELINUXTYPE= type of policy in use. Possible values are:
#       targeted - Only targeted network daemons are protected.
#       strict - Full SELinux protection.
SELINUXTYPE=targeted

Userspace tool common name: newrole
 
"rpm -qa | grep -i selinux" output: # rpm -qa | grep -i selinux
libselinux-devel-1.30.12-1
libselinux-1.30.12-1
libselinux-python-1.30.12-1
libselinux-devel-1.30.12-1
selinux-policy-targeted-2.2.47-1
selinux-policy-strict-2.2.47-1
libselinux-1.30.12-1
selinux-policy-2.2.47-1
selinux-policy-mls-2.2.47-1

The userspace tool has the following bit modes: 64-bit

Userspace rpm: policycoreutils-1.30.12-5
 
*Additional Instructions for nasastry@in.ibm.com: 
-Post a private note with access information to the machine that the bug is
occuring on.
-Attach ltrace and strace of userspace application.
Attaching ltrace and strace output
-Attach contents of /var/log/messages

<related message from /var/log/messages>
Aug 23 16:33:58 india5 mcstransd: Servicing of request failed for fd (5)
</related>

<related message from dmesg>
Unable to handle kernel pointer dereference at virtual kernel address
0000000000000000
Oops: 0004 [#1]
CPU:    0    Not tainted
Process newrole (pid: 20725, task: 000000007ff72e90, ksp: 0000000050a33bc0)
Krnl PSW : 0704200180000000 0000000000160b6c (_raw_read_lock+0x50/0x120)
Krnl GPRS: 0000000000000001 0000000000000000 0000000000000001 0000000000000000
           0000000000160b5c 0000000000000002 0000000000000002 000000005085b000
           0000000000000008 00000000ffffff9c 0000000050a33e48 0000000050a33c40
           0000000000000008 0000000000252418 0000000000160b5c 0000000050a33c40
Krnl Code: ba 32 80 00 19 31 a7 84 00 5e b9 04 00 28 c0 e5 ff ff f2 f5
Call Trace:
([<0000000000160b5c>] _raw_read_lock+0x40/0x120)
 [<0000000000237bca>] _read_lock+0x4e/0x5c
 [<00000000000bc674>] do_path_lookup+0x60/0x408
 [<00000000000bd586>] __user_walk_fd+0x5e/0x7c
 [<00000000000a474a>] sys_faccessat+0x96/0x138
 [<00000000000a481e>] sys_access+0x32/0x40
 [<000000000001ed94>] sysc_noemu+0x10/0x16
 [<00000047afe5a27e>] 0x47afe5a27e

 <1>Unable to handle kernel pointer dereference at virtual kernel address
0000000000000000
Oops: 0004 [#2]
CPU:    0    Not tainted
Process newrole (pid: 20729, task: 0000000062e84438, ksp: 00000000509cbbc0)
Krnl PSW : 0704200180000000 0000000000160b6c (_raw_read_lock+0x50/0x120)
Krnl GPRS: 0000000000000001 0000000000000000 0000000000000001 0000000000000000
           0000000000160b5c 0000000000000002 0000000000000002 0000000050a24000
           0000000000000008 00000000ffffff9c 00000000509cbe48 00000000509cbc40
           0000000000000008 0000000000252418 0000000000160b5c 00000000509cbc40
Krnl Code: ba 32 80 00 19 31 a7 84 00 5e b9 04 00 28 c0 e5 ff ff f2 f5
Call Trace:
([<0000000000160b5c>] _raw_read_lock+0x40/0x120)
 [<0000000000237bca>] _read_lock+0x4e/0x5c
 [<00000000000bc674>] do_path_lookup+0x60/0x408
 [<00000000000bd586>] __user_walk_fd+0x5e/0x7c
 [<00000000000a474a>] sys_faccessat+0x96/0x138
 [<00000000000a481e>] sys_access+0x32/0x40
 [<000000000001ed94>] sysc_noemu+0x10/0x16
 [<00000047afe5a27e>] 0x47afe5a27e
</related>

P.S. 
# getenforce
Permissive

Workaround:
After stopping the daemon named "mcstransd", newrole was giving the proper error
message "-bash: /usr/bin/newrole: Argument list too long"
Comment 1 IBM Bug Proxy 2006-08-23 15:52:01 EDT
Created attachment 134745 [details]
strace of newrole command

strace of newrole command
Comment 2 IBM Bug Proxy 2006-08-23 15:53:22 EDT
Created attachment 134746 [details]
ltrace of newrole command

ltrace of newrole command
Comment 3 IBM Bug Proxy 2006-08-24 03:36:29 EDT
----- Additional Comments From nasastry@in.ibm.com  2006-08-24 03:40 EDT -------
Same result with RHEL5_Alpha2 (KV 2.6.17-1.2519.4.5.el5) 
Comment 4 IBM Bug Proxy 2006-08-24 06:26:18 EDT
----- Additional Comments From srinivds@in.ibm.com  2006-08-24 06:30 EDT -------
When we try to run the above newrole command with "mcstransd"(SELinux Context
Translation System Daemon),2 write operations  happens to
/var/run/setrans/.setrans-unix socket(created by mcstransd). By the time one
write operation finishes,read end of the socket is getting closed and hence
second write operation is getting SIGPIPE.
========================================================================
connect(3, {sa_family=AF_FILE, path="/var/run/setrans/.setrans-unix"}, 110) = 0
writev(3, [{"
Comment 5 Daniel Walsh 2006-08-31 08:10:14 EDT
newrole will now ignore sigpipe.

Fixed in policycoreutils-1.30.27-3
Comment 6 IBM Bug Proxy 2006-08-31 15:51:23 EDT
----- Additional Comments From salina@us.ibm.com  2006-08-31 15:46 EDT -------
Hi Daniel,

Will you be placing the fix on Fedora too ?

Before we get an official RHEL 5 beta 1
will Fedora be a good place to get a fixed package we can try .. since we are 
doing some pre-beta 1 testing any way.
Currently I see policycoreutils-1.30.26-1.s390x.rpm 
http://download.fedora.redhat.com/pub/fedora/linux/core/development/s390x/os/Fed
ora/RPMS/

Thanks
Salina Chu 
LTC screen team 
Comment 7 Daniel Walsh 2006-08-31 16:25:59 EDT
Yes all development is in Fedora first.

Most updates will not be in RHEL 5 beta 1 since that froze a few weeks ago.

So packages will be available in Fedora.
Comment 8 Stephen Smalley 2006-09-11 11:51:08 EDT
Created attachment 136009 [details]
libselinux patch to address this bug in general

This patch has been proposed upstream as a general solution for this bug, not
limited to newrole.  It modifies the libselinux code that was triggering
SIGPIPE to use sendmsg() with MSG_NOSIGNAL rather than writev() so that if the
daemon closes its end of the connection prematurely, a normal error value will
be returned up to the caller rather than generating a SIGPIPE.
Comment 9 IBM Bug Proxy 2006-10-10 07:30:57 EDT
changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ACCEPTED                    |CLOSED




------- Additional Comments From nasastry@in.ibm.com  2006-10-10 07:25 EDT -------
Tested against latest code drop KV 2.6.18-1.2702.el5.

newrole command is not giving SIGPIPE.

# rpm -qa | grep selinux
libselinux-1.30.28-2
libselinux-devel-1.30.28-2
libselinux-1.30.28-2
libselinux-python-1.30.28-2
selinux-policy-targeted-2.3.16-2
libselinux-devel-1.30.28-2
selinux-policy-2.3.16-2

Closing this bugzilla report.

Thanks!! 
Comment 10 RHEL Product and Program Management 2006-12-22 19:04:06 EST
A package has been built which should help the problem described in 
this bug report. This report is therefore being closed with a resolution 
of CURRENTRELEASE. You may reopen this bug report if the solution does 
not work for you.
Comment 11 IBM Bug Proxy 2006-12-23 15:01:18 EST
----- Additional Comments From salina@us.ibm.com  2006-12-23 14:55 EDT -------
problem already closed at IBM.  Thanks 

Note You need to log in before you can comment on or make changes to this bug.