Bug 467216 - avc: denied { sys_resource } when using ext4dev partitions
avc: denied { sys_resource } when using ext4dev partitions
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: kernel (Show other bugs)
5.3
All Linux
medium Severity medium
: rc
: ---
Assigned To: Eric Sandeen
Alexander Todorov
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-10-16 08:50 EDT by Alexander Todorov
Modified: 2009-01-20 15:10 EST (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-01-20 15:10:56 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Alexander Todorov 2008-10-16 08:50:30 EDT
[root@localhost ~]# grep denied /var/log/messages 
Oct 16 08:32:55 localhost kernel: type=1400 audit(1224160368.466:4): avc:  denied  { sys_resource } for  pid=1601 comm="restorecond" capability=24 scontext=system_u:system_r:restorecond_t:s0 tcontext=system_u:system_r:restorecond_t:s0 tclass=capability
Oct 16 08:32:55 localhost kernel: type=1400 audit(1224160369.076:5): avc:  denied  { sys_resource } for  pid=1624 comm="dbus-daemon" capability=24 scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0 tclass=capability
Oct 16 08:32:55 localhost kernel: type=1400 audit(1224160369.632:6): avc:  denied  { sys_resource } for  pid=1654 comm="hpiod" capability=24 scontext=system_u:system_r:hplip_t:s0 tcontext=system_u:system_r:hplip_t:s0 tclass=capability
Oct 16 08:32:55 localhost kernel: type=1400 audit(1224160369.653:7): avc:  denied  { sys_resource } for  pid=1655 comm="hpiod" capability=24 scontext=system_u:system_r:hplip_t:s0 tcontext=system_u:system_r:hplip_t:s0 tclass=capability
Oct 16 08:32:55 localhost kernel: type=1400 audit(1224160372.351:8): avc:  denied  { sys_resource } for  pid=1658 comm="python" capability=24 scontext=system_u:system_r:hplip_t:s0 tcontext=system_u:system_r:hplip_t:s0 tclass=capability
Oct 16 08:32:55 localhost kernel: type=1400 audit(1224160372.384:9): avc:  denied  { sys_resource } for  pid=1661 comm="python" capability=24 scontext=system_u:system_r:hplip_t:s0 tcontext=system_u:system_r:hplip_t:s0 tclass=capability
Oct 16 08:32:55 localhost kernel: type=1400 audit(1224160374.051:10): avc:  denied  { sys_resource } for  pid=1692 comm="xfs" capability=24 scontext=system_u:system_r:xfs_t:s0 tcontext=system_u:system_r:xfs_t:s0 tclass=capability



Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.4.6-162.el5

Steps to Reproduce:
1. Installed a system which / partition is on ext4dev
LABEL=/                 /                       ext4dev defaults        1 1
LABEL=/home             /home                   ext4dev defaults        1 2
/dev/sda1               /boot/efi               vfat    defaults        0 0
tmpfs                   /dev/shm                tmpfs   defaults        0 0
devpts                  /dev/pts                devpts  gid=5,mode=620  0 0
sysfs                   /sys                    sysfs   defaults        0 0
proc                    /proc                   proc    defaults        0 0

  
Actual results:
Seeing the above denials in /var/log/messages after installation is complete.

Additional info:
haven't seen selinux denials when using ext3 partitions. not sure if this is related to fs type.
Comment 1 Daniel Walsh 2008-10-16 15:16:51 EDT
If suddenly every confined domain in the universe needs sys_resource, I think it is a kernel bug.
Comment 2 Eric Paris 2008-10-24 11:13:01 EDT
http://marc.info/?t=122486095400002&r=1&w=2
Comment 3 Eric Sandeen 2008-10-24 16:47:57 EDT
Thanks, I sent a couple patches upstream which should delay the capable() tests as eparis suggested, so at least we only should get the denials when all else fails (i.e. we need the actually need the root space, and neither the uid nor the gid matches that for the reserved space...)

http://marc.info/?l=linux-ext4&m=122488084212789&w=2
http://marc.info/?l=linux-ext4&m=122488090912882&w=2

Feel free to test :)

Thanks,
-Eric
Comment 4 Eric Sandeen 2008-10-24 17:39:23 EDT
I've pushed them to the pending ext4 patch queue now as well.

-Eric
Comment 5 Eric Sandeen 2008-10-27 12:52:33 EDT
Put the patches into rawhide/F10 today.
Comment 11 Daniel Walsh 2008-10-28 16:55:09 EDT
*** Bug 468683 has been marked as a duplicate of this bug. ***
Comment 13 Don Zickus 2008-11-04 11:50:46 EST
in kernel-2.6.18-122.el5
You can download this test kernel from http://people.redhat.com/dzickus/el5
Comment 15 Alexander Todorov 2008-11-10 07:04:28 EST
with 2.6.18-122.el5 and a default install on ext4dev / I'm not seeing any selinux denials in the logs. Moving to VERIFED.
Comment 17 Eric Sandeen 2009-01-05 14:15:06 EST
For the record, a fix for this is now upstream as well:

commit a996031c87e093017c0763326a08896a3a4817f4
Author: Eric Sandeen <sandeen@redhat.com>
Date:   Tue Oct 28 00:08:17 2008 -0400

    delay capable() check in ext4_has_free_blocks()

    As reported by Eric Paris, the capable() check in ext4_has_free_blocks()
    sometimes causes SELinux denials.

    We can rearrange the logic so that we only try to use the root-reserved
    blocks when necessary, and even then we can move the capable() test
    to last, to avoid the check most of the time.

    Signed-off-by: Eric Sandeen <sandeen@redhat.com>
    Reviewed-by: Mingming Cao <cmm@us.ibm.com>
    Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
Comment 18 errata-xmlrpc 2009-01-20 15:10:56 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2009-0225.html

Note You need to log in before you can comment on or make changes to this bug.