Bug 662344 - broken SELinux AVCs on XFS partition when running xfsdump
Summary: broken SELinux AVCs on XFS partition when running xfsdump
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: kernel
Version: 14
Hardware: x86_64
OS: Linux
low
medium
Target Milestone: ---
Assignee: Eric Sandeen
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 600690 (view as bug list)
Depends On: 600690
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-12-11 21:08 UTC by Cristian Ciupitu
Modified: 2011-03-07 21:05 UTC (History)
14 users (show)

Fixed In Version: kernel-2.6.35.10-72.fc14
Doc Type: Bug Fix
Doc Text:
Clone Of: 600690
Environment:
Last Closed: 2010-12-22 19:52:43 UTC


Attachments (Terms of Use)

Description Cristian Ciupitu 2010-12-11 21:08:23 UTC
+++ This bug was initially created as a clone of Bug #600690 +++

Description of problem:
xfsdump generates some broken SELinux AVCs when running on my XFS /home partition. This is the same partition I've used in Fedora 12 and older, so some of the files were created a long time ago, but on the other hand I've rebooted with /.autorelabel a couple of times, since installing Fedora 13.

ls -ldZ says this about one of the files:
drwxrwxr-x. ciupicri ciupicri unconfined_u:object_r:user_home_t:s0 ./3rdparty-projects/django/tests/modeltests/m2o_recursive2/.svn/tmp


Version-Release number of selected component (if applicable):
kernel-2.6.35.9-64.fc14.x86_64
selinux-policy-3.9.7-14.fc14.noarch
selinux-policy-targeted-3.9.7-14.fc14.noarch
xfsdump-3.0.4-1.fc13.x86_64


How reproducible:
Every time.


Steps to Reproduce:
1. xfsdump -l 0 -e -p 5 -f /media/SG1-personal/home.xfsdump /home

  
Actual results:
Lots of errors like this:
"xfsdump: WARNING: unable to open directory: ino 704668552: Permission denied"

SELinux denials:
time->Sat Jun  5 18:19:42 2010
type=SYSCALL msg=audit(1275751182.020:25706): arch=c000003e syscall=16 success=no exit=-13 a0=6 a1=ffffffffc038586b a2=7fff1e4804a0 a3=6 items=0 ppid=2980 pid=3006 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="xfsdump" exe="/sbin/xfsdump" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1275751182.020:25706): avc:  denied  { 0x400000 } for  pid=3006 comm="xfsdump" name="" dev=dm-1 ino=37436486 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file


Expected results:
No errors or at least a valid human readable permission instead of some hex.

Additional info:
This bug is similar with bug #576207, so it might be a duplicate.

If I set SELinux to permissive mode by running "setenforce 0", xfsdump seems to work fine (no errors printed).

Comment 1 Eric Sandeen 2010-12-17 16:53:31 UTC
> "xfsdump: WARNING: unable to open directory: ino 704668552: Permission denied"

XFS is trying to do the open by handle ioctl here

xfsctl(path, fsfd, XFS_IOC_OPEN_BY_HANDLE, &hreq);

if that's useful.  It seems that the files have proper labels on them, yes?  Not sure why the AVC seems odd...

Comment 2 Eric Paris 2010-12-17 17:13:58 UTC
This is a result of XFS using directory inodes but having never called d_instantiate() (or more importantly security_d_instantiate())

Figure out where in the XFS code you guys are hooking your dentries to your inodes without calling d_instantiate() fix that, and these will go away....

Comment 3 Eric Sandeen 2010-12-17 20:46:45 UTC
*** Bug 600690 has been marked as a duplicate of this bug. ***

Comment 4 Eric Sandeen 2010-12-17 20:47:36 UTC
http://marc.info/?l=linux-fsdevel&m=129013218025665&2=2

Fixes this right up.  Not upstream yet.

-Eric

Comment 5 Fedora Update System 2010-12-19 23:56:27 UTC
kernel-2.6.35.10-69.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/kernel-2.6.35.10-69.fc14

Comment 6 Fedora Update System 2010-12-21 13:55:00 UTC
kernel-2.6.35.10-72.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/kernel-2.6.35.10-72.fc14

Comment 7 Fedora Update System 2010-12-22 00:03:21 UTC
kernel-2.6.35.10-72.fc14 has been pushed to the Fedora 14 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update kernel'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/kernel-2.6.35.10-72.fc14

Comment 8 Fedora Update System 2010-12-22 19:51:37 UTC
kernel-2.6.35.10-72.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 Fedora Update System 2011-02-05 20:13:48 UTC
kernel-2.6.34.8-67.fc13 has been submitted as an update for Fedora 13.
https://admin.fedoraproject.org/updates/kernel-2.6.34.8-67.fc13

Comment 10 Fedora Update System 2011-02-24 15:49:54 UTC
kernel-2.6.34.8-68.fc13 has been submitted as an update for Fedora 13.
https://admin.fedoraproject.org/updates/kernel-2.6.34.8-68.fc13

Comment 11 Fedora Update System 2011-03-07 21:05:48 UTC
kernel-2.6.34.8-68.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.