All of lore.kernel.org
 help / color / mirror / Atom feed
* Debian Kernel Images
@ 2003-01-20 11:48 Tom
  2003-01-20 13:57 ` Russell Coker
  0 siblings, 1 reply; 4+ messages in thread
From: Tom @ 2003-01-20 11:48 UTC (permalink / raw)
  To: selinux

Somehow, the initrd process seems to mess with the SELinux stuff. When
I boot Brian's kernel (which uses initrd), I suddenly get lots of
errors, relating to unlabeled_t. My own kernel runs fine.

Now there is no unlabeled file on the filesystem. I scanned it
completely, just to be sure. Here's an excerpt from the syslog during
the boot process:

Jan 20 13:33:16 nsa3 kernel: hda: 39102336 sectors (20020 MB) w/1024KiB Cache, CHS=38792/16/63, UDMA(66)
Jan 20 13:33:16 nsa3 kernel: Partition check:
Jan 20 13:33:16 nsa3 kernel:  /dev/ide/host0/bus0/target0/lun0: [PTBL] [2586/240/63] p1 p2 p3 p4
Jan 20 13:33:16 nsa3 kernel: kjournald starting.  Commit interval 5 seconds
Jan 20 13:33:16 nsa3 kernel: EXT3-fs: mounted filesystem with ordered data mode.
Jan 20 13:33:16 nsa3 kernel: SELinux:  Completing initialization.
Jan 20 13:33:16 nsa3 kernel: security:  loading policy configuration from /etc/security/selinux/policy.12
Jan 20 13:33:16 nsa3 kernel: security:  policydb is compressed, decompressing...
Jan 20 13:33:16 nsa3 kernel: security:  decompressed 2523517 bytes
Jan 20 13:33:16 nsa3 kernel: security:  5 users, 5 roles, 637 types
Jan 20 13:33:16 nsa3 kernel: security:  29 classes, 103704 rules
Jan 20 13:33:16 nsa3 kernel: SELinux: initialized (dev 03:01, type ext3), uses PSIDs
Jan 20 13:33:16 nsa3 kernel: SELinux: initialized (dev 01:00, type cramfs), not configured for labeling
Jan 20 13:33:16 nsa3 kernel: SELinux: initialized (dev 00:07, type devpts), uses transition SIDs
Jan 20 13:33:16 nsa3 kernel: SELinux: initialized (dev 00:06, type devfs), uses genfs_contexts
Jan 20 13:33:16 nsa3 kernel: SELinux: initialized (dev 00:05, type pipefs), uses task SIDs
Jan 20 13:33:16 nsa3 kernel: SELinux: initialized (dev 00:04, type tmpfs), uses transition SIDs
Jan 20 13:33:16 nsa3 kernel: SELinux: initialized (dev 00:03, type sockfs), uses task SIDs
Jan 20 13:33:16 nsa3 kernel: SELinux: initialized (dev 00:02, type proc), uses genfs_contexts
Jan 20 13:33:16 nsa3 kernel: SELinux: initialized (dev 00:01, type bdev), not configured for labeling
Jan 20 13:33:16 nsa3 kernel: SELinux: initialized (dev 00:00, type rootfs), not configured for labeling
Jan 20 13:33:16 nsa3 kernel: 
Jan 20 13:33:16 nsa3 kernel: avc:  denied  { read } for  pid=1 exe=/sbin/init path=/ dev=00:00 ino=1 scontext=system_u:system_r:init_t tcontext=system_u:object_r:unlabeled_t tclass=dir
Jan 20 13:33:16 nsa3 kernel: 
Jan 20 13:33:16 nsa3 kernel: avc:  denied  { search } for  pid=1 exe=/sbin/init path=/var dev=03:01 ino=63873 scontext=system_u:system_r:init_t tcontext=system_u:object_r:file_t tclass=dir
Jan 20 13:33:16 nsa3 kernel: 
Jan 20 13:33:16 nsa3 kernel: avc:  denied  { use } for  pid=33 exe=/bin/bash path=/ dev=00:00 ino=1 scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:kernel_t tclass=fd
Jan 20 13:33:16 nsa3 kernel: 
Jan 20 13:33:16 nsa3 kernel: avc:  denied  { read } for  pid=33 exe=/bin/bash path=/ dev=00:00 ino=1 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:unlabeled_t tclass=dir
Jan 20 13:33:16 nsa3 kernel: 
Jan 20 13:33:16 nsa3 kernel: avc:  denied  { use } for  pid=35 exe=/bin/mount path=/ dev=00:00 ino=1 scontext=system_u:system_r:mount_t tcontext=system_u:system_r:kernel_t tclass=fd
Jan 20 13:33:16 nsa3 kernel: 
Jan 20 13:33:16 nsa3 kernel: avc:  denied  { read } for  pid=35 exe=/bin/mount path=/ dev=00:00 ino=1 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:unlabeled_t tclass=dir
Jan 20 13:33:16 nsa3 kernel: 
Jan 20 13:33:16 nsa3 kernel: avc:  denied  { use } for  pid=38 exe=/sbin/blockdev path=/ dev=00:00 ino=1 scontext=system_u:system_r:fsadm_t tcontext=system_u:system_r:kernel_t tclass=fd
Jan 20 13:33:16 nsa3 kernel: 
Jan 20 13:33:16 nsa3 kernel: avc:  denied  { read } for  pid=38 exe=/sbin/blockdev path=/ dev=00:00 ino=1 scontext=system_u:system_r:fsadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir
Jan 20 13:33:16 nsa3 kernel: Adding Swap: 975232k swap-space (priority -1)
Jan 20 13:33:16 nsa3 kernel: EXT3 FS 2.4-0.9.19, 19 August 2002 on ide0(3,1), internal journal
Jan 20 13:33:16 nsa3 kernel: 



-- 
PGP/GPG key: http://web.lemuria.org/pubkey.html
pub  1024D/2D7A04F5 2002-05-16 Tom Vogt <tom@lemuria.org>
     Key fingerprint = C731 64D1 4BCF 4C20 48A4  29B2 BF01 9FA1 2D7A 04F5

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: Debian Kernel Images
  2003-01-20 11:48 Debian Kernel Images Tom
@ 2003-01-20 13:57 ` Russell Coker
  2003-01-30  7:52   ` Brian May
  0 siblings, 1 reply; 4+ messages in thread
From: Russell Coker @ 2003-01-20 13:57 UTC (permalink / raw)
  To: Tom, selinux; +Cc: bam

[-- Attachment #1: Type: text/plain, Size: 1512 bytes --]

On Mon, 20 Jan 2003 12:48, Tom wrote:
> Jan 20 13:33:16 nsa3 kernel:
> SELinux: initialized (dev 00:00, type rootfs), not configured for labeling
> Jan 20 13:33:16 nsa3 kernel:
> Jan 20 13:33:16 nsa3 kernel: avc:  denied  { read } for  pid=1
> exe=/sbin/init path=/ dev=00:00 ino=1 scontext=system_u:system_r:init_t
> tcontext=system_u:object_r:unlabeled_t tclass=dir

OK, so what you are seeing is a rootfs access due to the kernel 
inappropriately failing to close some file handles in a kernel thread.

I have attached a patch to fix this, Brian please include it in your next 
kernel build.  Also are you using the Debian kernel-source package?  If so 
then a bug should be filed against it requesting the patch to be included.  I 
intentionally removed the patch in question when Steve added it to a LSM 
patch because I believe that as it is not an LSM issue (just a general kernel 
bug) it is not required in an LSM system (it is less necessary in a LSM 
system than in a non-LSM system) and therefore is best avoided so that it 
doesn't needlessly cause patch conflicts.

Please note that as far as I am aware I was the first person to discover this 
2.4.20 kernel bug, and I did so through SE Linux blocking (and logging) the 
inappropriate access.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

[-- Attachment #2: initrd.patch --]
[-- Type: text/x-diff, Size: 359 bytes --]

--- linux-2.4.20.lsm-old/init/do_mounts.c	2002-12-13 19:33:23.000000000 +0100
+++ linux-2.4.20.lsm/init/do_mounts.c	2002-12-13 19:36:48.000000000 +0100
@@ -812,6 +812,8 @@
 	/* switch root and cwd back to / of rootfs */
 	sys_fchdir(root_fd);
 	sys_chroot(".");
+	close(old_fd);
+	close(root_fd);
 	sys_umount("/old/dev", 0);
 
 	if (real_root_dev == ram0) {

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: Debian Kernel Images
  2003-01-20 13:57 ` Russell Coker
@ 2003-01-30  7:52   ` Brian May
  2003-01-30  7:58     ` Brian May
  0 siblings, 1 reply; 4+ messages in thread
From: Brian May @ 2003-01-30  7:52 UTC (permalink / raw)
  To: Russell Coker; +Cc: Tom, selinux

On Mon, Jan 20, 2003 at 02:57:53PM +0100, Russell Coker wrote:
> I have attached a patch to fix this, Brian please include it in your next 
> kernel build.  Also are you using the Debian kernel-source package?  If so 

Yes, I am using the Debian kernel source package, version 2.4.20-2, it
probably is old now (I can't keep up with the rate of change...)

> then a bug should be filed against it requesting the patch to be included.  I 
> intentionally removed the patch in question when Steve added it to a LSM 
> patch because I believe that as it is not an LSM issue (just a general kernel 
> bug) it is not required in an LSM system (it is less necessary in a LSM 
> system than in a non-LSM system) and therefore is best avoided so that it 
> doesn't needlessly cause patch conflicts.

errr... /usr/src/kernel-patches/all/lsm/lsm-2.4.20.patch.gz has the
patch, was this a mistake?

I have version 2003.01.15-1, according to your changelog nothing has
changed except the policy in version -3.
-- 
Brian May <bam@snoopy.apana.org.au>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: Debian Kernel Images
  2003-01-30  7:52   ` Brian May
@ 2003-01-30  7:58     ` Brian May
  0 siblings, 0 replies; 4+ messages in thread
From: Brian May @ 2003-01-30  7:58 UTC (permalink / raw)
  To: Russell Coker, Tom, selinux

On Thu, Jan 30, 2003 at 06:52:56PM +1100, Brian May wrote:
> errr... /usr/src/kernel-patches/all/lsm/lsm-2.4.20.patch.gz has the
> patch, was this a mistake?
> 
> I have version 2003.01.15-1, according to your changelog nothing has
> changed except the policy in version -3.

I just realized I was comparing  kernel-patch-2.4-lsm versions with
selinux-small versions :-(.

I have kernel-patch-2.4-lsm version 2003.01.15-1.bam.1
-- 
Brian May <bam@snoopy.apana.org.au>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2003-01-30  7:58 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-01-20 11:48 Debian Kernel Images Tom
2003-01-20 13:57 ` Russell Coker
2003-01-30  7:52   ` Brian May
2003-01-30  7:58     ` Brian May

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.