Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 739942

Summary: SELinux: return error codes on policy load failure
Product: Red Hat Enterprise Linux 6 Reporter: Karel Srot <ksrot>
Component: kernelAssignee: Eric Paris <eparis>
Status: CLOSED WONTFIX QA Contact: Red Hat Kernel QE team <kernel-qe>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.3CC: jcpunk, kzhang, mmalik, syeghiay
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-10-01 20:45:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 728633, 767187    
Attachments:
Description Flags
strace -f semanage log none

Description Karel Srot 2011-09-20 14:07:27 UTC 
Created attachment 524040 [details]
strace -f semanage log

Description of problem:

When policy load fails, semanage is not notified and exits with 0.
User is not notified that the new policy was not loaded.

This was a bug upstream fixed by:

commit a200005038955057063fc8ea82129ebc785df41c
Author: Eric Paris <eparis>
Date:   Tue Apr 20 10:29:42 2010 -0400

    SELinux: return error codes on policy load failure
    
    policy load failure always return EINVAL even if the failure was for some
    other reason (usually ENOMEM).  This patch passes error codes back up the
    stack where they will make their way to userspace.  This might help in
    debugging future problems with policy load.

Version-Release number of selected component (if applicable):


How reproducible:
sometimes


Steps to Reproduce:
update policy (with semanage) on a system with small amount of memory (probably).
  
Actual results:
semanage fails to update policy but returns exit code 0

console log:
SELinux: 2048 avtab hash slots, 220644 rules.
SELinux: 2048 avtab hash slots, 220644 rules.
SELinux:  9 users, 13 roles, 3546 types, 176 bools, 1 sens, 1024 cats
SELinux:  81 classes, 220644 rules
load_policy: page allocation failure. order:1, mode:0x20
CPU: 1 Not tainted 2.6.32-195.el6.s390x #1
Process load_policy (pid: 2521, task: 0000000002604890, ksp: 0000000000883298)
00000000008836f0 0000000000883670 0000000000000002 0000000000000000 
       0000000000883710 0000000000883688 0000000000883688 00000000004cb8c0 
       000000001fe455ee 0000000000000000 0000000000000020 0000000000000000 
       000000000000000d 000000000000000c 00000000008836e0 0000000000000000 
       0000000000000000 00000000001051bc 0000000000883670 00000000008836b0 
Call Trace:
([<00000000001050bc>] show_trace+0xe8/0x138)
 [<0000000000206382>] __alloc_pages_nodemask+0x80a/0xa40
 [<000000000024369a>] cache_alloc_refill+0x3e2/0x6d8
 [<0000000000243e46>] __kmalloc+0x19a/0x1bc
 [<000000000031eff4>] selinux_set_mapping.clone.1+0x98/0x2a8
 [<000000000031f39c>] security_load_policy+0x198/0x4b0
 [<000000000030b3a8>] sel_write_load+0xfc/0x7d8
 [<0000000000255830>] vfs_write+0xa0/0x1a0
 [<0000000000255a32>] SyS_write+0x5a/0xac
 [<000000000011863c>] sysc_tracego+0xe/0x14
 [<000003fffd5277f4>] 0x3fffd5277f4
Mem-Info:
DMA per-cpu:
CPU    0: hi:  186, btch:  31 usd:   0
CPU    1: hi:  186, btch:  31 usd:   4
active_anon:49605 inactive_anon:49618 isolated_anon:0
 active_file:674 inactive_file:688 isolated_file:0
 unevictable:913 dirty:0 writeback:0 unstable:0
 free:800 slab_reclaimable:1845 slab_unreclaimable:14760
 mapped:1158 shmem:36 pagetables:463 bounce:0
DMA free:3200kB min:2876kB low:3592kB high:4312kB active_anon:198420kB inactive_anon:198472kB active_file:2696kB inactive_file:2752kB unevictable:3652kB isolated(anon):0kB isolated(file):0kB present:517120kB mlocked:0kB dirty:0kB writeback:0kB mapped:4632kB shmem:144kB slab_reclaimable:7380kB slab_unreclaimable:59040kB kernel_stack:2640kB pagetables:1852kB unstable:0kB bounce:0kB writeback_tmp:0kB pages_scanned:0 all_unreclaimable? no
lowmem_reserve[]: 0 0 0
DMA: 672*4kB 0*8kB 32*16kB 0*32kB 0*64kB 0*128kB 0*256kB 0*512kB 0*1024kB = 3200kB
3691 total pagecache pages
1369 pages in swap cache
Swap cache stats: add 25471, delete 24102, find 144/315
Free swap  = 919948kB
Total swap = 1015800kB
131072 pages RAM
5212 pages reserved
4225 pages shared
122062 pages non-shared


"strace -f semanage .." atached
Comment 5 RHEL Program Management 2011-12-13 04:43:02 UTC 
This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux maintenance release. Product Management has 
requested further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed 
products. This request is not yet committed for inclusion in an Update release.
Comment 9 RHEL Program Management 2012-07-10 06:51:22 UTC 
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.
Comment 10 RHEL Program Management 2012-07-10 23:28:52 UTC 
This request was erroneously removed from consideration in Red Hat Enterprise Linux 6.4, which is currently under development.  This request will be evaluated for inclusion in Red Hat Enterprise Linux 6.4.
Comment 11 RHEL Program Management 2012-12-14 07:19:18 UTC 
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.
Comment 12 Eric Paris 2013-10-01 20:45:47 UTC 
I am going to close this as WONTFIX.  It is annoying to always get the same EINVAL, but the fix is large and a failure is a failure.  If this presents a particular problem, please feel free to reopen.