Bug 489538 - severe badness on F-10 -> rawhide upgrade w.r.t. policy and dbus
Summary: severe badness on F-10 -> rawhide upgrade w.r.t. policy and dbus
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: rawhide
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-03-10 16:20 UTC by Bill Nottingham
Modified: 2014-03-17 03:17 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2009-03-10 20:11:41 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Bill Nottingham 2009-03-10 16:20:32 UTC
Description of problem:

We've noticed recently a spate of errors on rawhide upgrades where, in the middle of the transaction, the desktop goes away and the transaction dies.

Upon debugging, it appears that the session bus for the desktop is refusing connections.

Coincident with the error appears to be the following message in syslog:

SELinux: Context unconfined_u:unconfined_r:unconfined_dbusd_t:s0-s0:c0.c1023 became invalid (unmapped)

Is the policy update removing the running context out from under the session bus? If so, how do we prevent this, as it causes fairly catastrophic effects to the desktop session.

Version-Release number of selected component (if applicable):

rawhide

How reproducible:

Often enough that it's not a coincidence

Comment 1 Daniel Walsh 2009-03-10 20:11:41 UTC
Fixed in selinux-policy-3.6.8-3.fc11

Comment 2 Colin Walters 2009-03-11 16:01:46 UTC
So if the SELinux policy removes a previously valid context, in general we will have a problem with any userspace program which acts as a SELinux userspace security manager.  Right now dbus is the most prominent, but the X server has the fundamental support, and once we add policy a similar bug could reappear there.

The solutions I see are:

1) Never remove security contexts from policy (an automated check here would probably be pretty easy)
2) Don't apply selinux-policy changes immediately, they require a reboot


Note You need to log in before you can comment on or make changes to this bug.