429857 – Root inode of ext4dev root filesystem does not get selinux label

Bug 429857 - Root inode of ext4dev root filesystem does not get selinux label

Summary: Root inode of ext4dev root filesystem does not get selinux label

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	kernel
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Eric Sandeen
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2008-01-23 14:45 UTC by Eric Sandeen
Modified:	2008-07-25 14:54 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2008-01-30 15:03:12 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Eric Sandeen 2008-01-23 14:45:27 UTC

I'm not sure this is an anaconda bug, but need to file it somewhere so it
doesn't get lost, feel free to move as appropriate.

When installing rawhide onto ext4dev, the root inode does not get an selinux
security context label.  This ultimately causes the system boot to fail
post-installation.  Simply running restorecon on / fixes it up.

I haven't yet sorted out *what* should be labeling / during install; perhaps the
recent "fixfiles" fix will fix it.  I'll test that today.

Comment 1 Daniel Walsh 2008-01-23 21:43:34 UTC

Yes I think the fixed fixfiles should fix this problem

Comment 2 Chris Lumens 2008-01-28 20:31:00 UTC

Putting in MODIFIED on the basis of comment #1.

Comment 3 Eric Sandeen 2008-01-28 22:29:42 UTC

Something else is still wrong... at the end of the install, ls -Zd /mnt/sysimage
shows root_t... but after the box reboots, it's file_t again.  It appears it's
not getting flushed.

ls -Zd /mnt/sysimage/boot (separate filesystem...) shows boot_t before & after.

I notice that at the end of the install, /mnt/sysimage is still held busy via
files in /mnt/sysimage/var/lib/rpm... perhaps it's not getting unmounted
cleanly?  This may be a kernel problem unique to ext4 I suppose; maybe
journaling and/or flushing problems....

Comment 4 Eric Sandeen 2008-01-29 05:29:38 UTC

Funky, the root attr is there but it's not reported/returned:

[root@magnesium tmp]# mount | grep sda9
/dev/sda9 on /mnt type ext4dev (rw)
[root@magnesium tmp]# ls -Zd /mnt
drwxr-xr-x  root root system_u:object_r:file_t:s0      /mnt (unlabeled)
[root@magnesium tmp]# getfattr -d -m "^security\\." /mnt
[root@magnesium tmp]# <nada>
[root@magnesium tmp]# debugfs /dev/sda9
debugfs 1.40.4 (31-Dec-2007)
debugfs:  stat .
Inode: 2   Type: directory    Mode:  0755   Flags: 0x0   Generation: 0
User:     0   Group:     0   Size: 4096
File ACL: 0    Directory ACL: 0
Links: 23   Blockcount: 8
Fragment:  Address: 0    Number: 0    Size: 0
ctime: 0x479ea01f -- Mon Jan 28 21:40:15 2008
atime: 0x479ea020 -- Mon Jan 28 21:40:16 2008
mtime: 0x479ea01f -- Mon Jan 28 21:40:15 2008
Size of extra inode fields: 28
Extended attributes stored in inode body: 
  selinux = "73 79 73 74 65 6d 5f 75 3a 6f 62 6a 65 63 74 5f 72 3a 72 6f 6f 74
5f 74 3a 73 30 00 " (28)
BLOCKS:
(0):816
TOTAL: 1

(that nice hex string should be printed (that's another bug...) - it's
"system_u:object_r:root_t:s0" so looks like the attr is there, but we're not
fetching/reporting it.  Grr.  Well, will fix this up tomorrow I hope.

Comment 5 Eric Sandeen 2008-01-29 19:36:20 UTC

Found it.

Can fix it a couple ways; will go to the ext4 list & see which people like best.

-Eric

Comment 6 Eric Sandeen 2008-01-30 15:03:12 UTC

Patch is in the upstream ext4 git tree; will be heading to linus shortly.
Applied to rawhide kernel.

Note You need to log in before you can comment on or make changes to this bug.