Bug 441954 - kernel crash: semanage user -m -R unconfined_r user_u leaves existing process system_u object_r unlabeled_t
kernel crash: semanage user -m -R unconfined_r user_u leaves existing process...
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: kernel (Show other bugs)
rawhide
All Linux
low Severity medium
: ---
: ---
Assigned To: Eric Paris
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-04-10 16:33 EDT by archimerged Ark submedes
Modified: 2008-08-02 19:40 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-05-05 13:32:26 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description archimerged Ark submedes 2008-04-10 16:33:04 EDT
Description of problem:
This happens on Rawhide-2008-04-09, which has error in installing
selinux-policy-targeted.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.3.1-31.fc9.noarch
policycoreutils-2.0.46-2.fc9.i386
libsemanage-2.0.24-1.fc9.i386

How reproducible:
I've seen it each time I looked (twice)

Steps to Reproduce:
1. Install Rawhide-2008-04-09 (that might be important)
2. user login on X11, logout.  (which sometimes leaves Xorg :0 tty7 running)
3. ps -ef | grep [u]serlogin; secon --pid 
4. tty1# semanage user -m -R unconfined_r user_u
5. ps -ef | grep [u]serlogin

Actual results:
3. bonobo-activation-server had context user_u user_r user_t
4. semanage got error message libsemanage_dbase_llist_query: could not query
record value (no such file or directory), after a long delay (maybe a minute).
5. the process context was system_u object_r unlabeled_t.

Expected results:
Not this.  I imagine the process might have elevated privileges now.

Additional info:

install.log:
Installing selinux-policy-targeted-3.3.1-31.fc9.noarch
/usr/sbin/semanage: You must specify a prefix
/usr/sbin/semanage: You must specify a prefix
Comment 1 archimerged Ark submedes 2008-04-10 16:48:22 EDT
My notes also say on first attempt to change user_r to unconfined_r, system
crashed hard, no keyboard response even to shift-lock, no ping response,
power-off button which usually triggers shutdown was ignored, reset required. 
On reboot, the role was changed.  This happened on both systems I had installed
04-09 on.  I am repeating install to see if the crash is repeatable.  Presumably
the fixes to targeted policy might mask the symptoms but I don't think it should
be possible to crash the system just because s-p-t-3.3.1-31 is installed, and
this probably reflects a different bug.  Any pointers to instructions for
setting up serial port kernel debugger to get the crash state?
Comment 2 archimerged Ark submedes 2008-04-10 21:47:44 EDT
Repeated install on two systems.  The crucial factor which seems necessary for a
crash is that the user is logged in.  If no user process is active, there is no
crash.  If user is logged in, the crash occurs a short (but not zero) time after
the dbase_llist_query no such file or directory.  It is definitely a hard crash:
shift-lock, num-lock, scroll-lock lights do not respond, mouse tracking stops,
ping response stops, all at the same time.
Comment 3 Eric Paris 2008-04-11 21:55:16 EDT
dan, although clearly not impossible that this was an actual kernel crash more
likely is that system_u:object_r:kernel_t became and invalid type and all of the
sudden darn near everything went boom.

To collect a kernel crash though attach a serial console and add

console=ttyS0,9600 console=tty0 to the boot line.  All kernel meesage will them
go out the first serial port and to the console...
Comment 4 Eric Paris 2008-05-01 10:02:27 EDT
Did we get any messages from the console?  Anything relevant you could find in
/var/log/messages dmesg or /var/log/audit/audit.log
Comment 5 Daniel Walsh 2008-05-05 13:32:26 EDT
Fixed in latest policy

Fixed in selinux-policy-3.3.1-40.fc9.noarch

Note You need to log in before you can comment on or make changes to this bug.