* Debian Kernel Images
@ 2003-01-20 11:48 Tom
2003-01-20 13:57 ` Russell Coker
0 siblings, 1 reply; 4+ messages in thread
From: Tom @ 2003-01-20 11:48 UTC (permalink / raw)
To: selinux
Somehow, the initrd process seems to mess with the SELinux stuff. When
I boot Brian's kernel (which uses initrd), I suddenly get lots of
errors, relating to unlabeled_t. My own kernel runs fine.
Now there is no unlabeled file on the filesystem. I scanned it
completely, just to be sure. Here's an excerpt from the syslog during
the boot process:
Jan 20 13:33:16 nsa3 kernel: hda: 39102336 sectors (20020 MB) w/1024KiB Cache, CHS=38792/16/63, UDMA(66)
Jan 20 13:33:16 nsa3 kernel: Partition check:
Jan 20 13:33:16 nsa3 kernel: /dev/ide/host0/bus0/target0/lun0: [PTBL] [2586/240/63] p1 p2 p3 p4
Jan 20 13:33:16 nsa3 kernel: kjournald starting. Commit interval 5 seconds
Jan 20 13:33:16 nsa3 kernel: EXT3-fs: mounted filesystem with ordered data mode.
Jan 20 13:33:16 nsa3 kernel: SELinux: Completing initialization.
Jan 20 13:33:16 nsa3 kernel: security: loading policy configuration from /etc/security/selinux/policy.12
Jan 20 13:33:16 nsa3 kernel: security: policydb is compressed, decompressing...
Jan 20 13:33:16 nsa3 kernel: security: decompressed 2523517 bytes
Jan 20 13:33:16 nsa3 kernel: security: 5 users, 5 roles, 637 types
Jan 20 13:33:16 nsa3 kernel: security: 29 classes, 103704 rules
Jan 20 13:33:16 nsa3 kernel: SELinux: initialized (dev 03:01, type ext3), uses PSIDs
Jan 20 13:33:16 nsa3 kernel: SELinux: initialized (dev 01:00, type cramfs), not configured for labeling
Jan 20 13:33:16 nsa3 kernel: SELinux: initialized (dev 00:07, type devpts), uses transition SIDs
Jan 20 13:33:16 nsa3 kernel: SELinux: initialized (dev 00:06, type devfs), uses genfs_contexts
Jan 20 13:33:16 nsa3 kernel: SELinux: initialized (dev 00:05, type pipefs), uses task SIDs
Jan 20 13:33:16 nsa3 kernel: SELinux: initialized (dev 00:04, type tmpfs), uses transition SIDs
Jan 20 13:33:16 nsa3 kernel: SELinux: initialized (dev 00:03, type sockfs), uses task SIDs
Jan 20 13:33:16 nsa3 kernel: SELinux: initialized (dev 00:02, type proc), uses genfs_contexts
Jan 20 13:33:16 nsa3 kernel: SELinux: initialized (dev 00:01, type bdev), not configured for labeling
Jan 20 13:33:16 nsa3 kernel: SELinux: initialized (dev 00:00, type rootfs), not configured for labeling
Jan 20 13:33:16 nsa3 kernel:
Jan 20 13:33:16 nsa3 kernel: avc: denied { read } for pid=1 exe=/sbin/init path=/ dev=00:00 ino=1 scontext=system_u:system_r:init_t tcontext=system_u:object_r:unlabeled_t tclass=dir
Jan 20 13:33:16 nsa3 kernel:
Jan 20 13:33:16 nsa3 kernel: avc: denied { search } for pid=1 exe=/sbin/init path=/var dev=03:01 ino=63873 scontext=system_u:system_r:init_t tcontext=system_u:object_r:file_t tclass=dir
Jan 20 13:33:16 nsa3 kernel:
Jan 20 13:33:16 nsa3 kernel: avc: denied { use } for pid=33 exe=/bin/bash path=/ dev=00:00 ino=1 scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:kernel_t tclass=fd
Jan 20 13:33:16 nsa3 kernel:
Jan 20 13:33:16 nsa3 kernel: avc: denied { read } for pid=33 exe=/bin/bash path=/ dev=00:00 ino=1 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:unlabeled_t tclass=dir
Jan 20 13:33:16 nsa3 kernel:
Jan 20 13:33:16 nsa3 kernel: avc: denied { use } for pid=35 exe=/bin/mount path=/ dev=00:00 ino=1 scontext=system_u:system_r:mount_t tcontext=system_u:system_r:kernel_t tclass=fd
Jan 20 13:33:16 nsa3 kernel:
Jan 20 13:33:16 nsa3 kernel: avc: denied { read } for pid=35 exe=/bin/mount path=/ dev=00:00 ino=1 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:unlabeled_t tclass=dir
Jan 20 13:33:16 nsa3 kernel:
Jan 20 13:33:16 nsa3 kernel: avc: denied { use } for pid=38 exe=/sbin/blockdev path=/ dev=00:00 ino=1 scontext=system_u:system_r:fsadm_t tcontext=system_u:system_r:kernel_t tclass=fd
Jan 20 13:33:16 nsa3 kernel:
Jan 20 13:33:16 nsa3 kernel: avc: denied { read } for pid=38 exe=/sbin/blockdev path=/ dev=00:00 ino=1 scontext=system_u:system_r:fsadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir
Jan 20 13:33:16 nsa3 kernel: Adding Swap: 975232k swap-space (priority -1)
Jan 20 13:33:16 nsa3 kernel: EXT3 FS 2.4-0.9.19, 19 August 2002 on ide0(3,1), internal journal
Jan 20 13:33:16 nsa3 kernel:
--
PGP/GPG key: http://web.lemuria.org/pubkey.html
pub 1024D/2D7A04F5 2002-05-16 Tom Vogt <tom@lemuria.org>
Key fingerprint = C731 64D1 4BCF 4C20 48A4 29B2 BF01 9FA1 2D7A 04F5
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: Debian Kernel Images
2003-01-20 11:48 Debian Kernel Images Tom
@ 2003-01-20 13:57 ` Russell Coker
2003-01-30 7:52 ` Brian May
0 siblings, 1 reply; 4+ messages in thread
From: Russell Coker @ 2003-01-20 13:57 UTC (permalink / raw)
To: Tom, selinux; +Cc: bam
[-- Attachment #1: Type: text/plain, Size: 1512 bytes --]
On Mon, 20 Jan 2003 12:48, Tom wrote:
> Jan 20 13:33:16 nsa3 kernel:
> SELinux: initialized (dev 00:00, type rootfs), not configured for labeling
> Jan 20 13:33:16 nsa3 kernel:
> Jan 20 13:33:16 nsa3 kernel: avc: denied { read } for pid=1
> exe=/sbin/init path=/ dev=00:00 ino=1 scontext=system_u:system_r:init_t
> tcontext=system_u:object_r:unlabeled_t tclass=dir
OK, so what you are seeing is a rootfs access due to the kernel
inappropriately failing to close some file handles in a kernel thread.
I have attached a patch to fix this, Brian please include it in your next
kernel build. Also are you using the Debian kernel-source package? If so
then a bug should be filed against it requesting the patch to be included. I
intentionally removed the patch in question when Steve added it to a LSM
patch because I believe that as it is not an LSM issue (just a general kernel
bug) it is not required in an LSM system (it is less necessary in a LSM
system than in a non-LSM system) and therefore is best avoided so that it
doesn't needlessly cause patch conflicts.
Please note that as far as I am aware I was the first person to discover this
2.4.20 kernel bug, and I did so through SE Linux blocking (and logging) the
inappropriate access.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
[-- Attachment #2: initrd.patch --]
[-- Type: text/x-diff, Size: 359 bytes --]
--- linux-2.4.20.lsm-old/init/do_mounts.c 2002-12-13 19:33:23.000000000 +0100
+++ linux-2.4.20.lsm/init/do_mounts.c 2002-12-13 19:36:48.000000000 +0100
@@ -812,6 +812,8 @@
/* switch root and cwd back to / of rootfs */
sys_fchdir(root_fd);
sys_chroot(".");
+ close(old_fd);
+ close(root_fd);
sys_umount("/old/dev", 0);
if (real_root_dev == ram0) {
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: Debian Kernel Images
2003-01-20 13:57 ` Russell Coker
@ 2003-01-30 7:52 ` Brian May
2003-01-30 7:58 ` Brian May
0 siblings, 1 reply; 4+ messages in thread
From: Brian May @ 2003-01-30 7:52 UTC (permalink / raw)
To: Russell Coker; +Cc: Tom, selinux
On Mon, Jan 20, 2003 at 02:57:53PM +0100, Russell Coker wrote:
> I have attached a patch to fix this, Brian please include it in your next
> kernel build. Also are you using the Debian kernel-source package? If so
Yes, I am using the Debian kernel source package, version 2.4.20-2, it
probably is old now (I can't keep up with the rate of change...)
> then a bug should be filed against it requesting the patch to be included. I
> intentionally removed the patch in question when Steve added it to a LSM
> patch because I believe that as it is not an LSM issue (just a general kernel
> bug) it is not required in an LSM system (it is less necessary in a LSM
> system than in a non-LSM system) and therefore is best avoided so that it
> doesn't needlessly cause patch conflicts.
errr... /usr/src/kernel-patches/all/lsm/lsm-2.4.20.patch.gz has the
patch, was this a mistake?
I have version 2003.01.15-1, according to your changelog nothing has
changed except the policy in version -3.
--
Brian May <bam@snoopy.apana.org.au>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Debian Kernel Images
2003-01-30 7:52 ` Brian May
@ 2003-01-30 7:58 ` Brian May
0 siblings, 0 replies; 4+ messages in thread
From: Brian May @ 2003-01-30 7:58 UTC (permalink / raw)
To: Russell Coker, Tom, selinux
On Thu, Jan 30, 2003 at 06:52:56PM +1100, Brian May wrote:
> errr... /usr/src/kernel-patches/all/lsm/lsm-2.4.20.patch.gz has the
> patch, was this a mistake?
>
> I have version 2003.01.15-1, according to your changelog nothing has
> changed except the policy in version -3.
I just realized I was comparing kernel-patch-2.4-lsm versions with
selinux-small versions :-(.
I have kernel-patch-2.4-lsm version 2003.01.15-1.bam.1
--
Brian May <bam@snoopy.apana.org.au>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2003-01-30 7:58 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-01-20 11:48 Debian Kernel Images Tom
2003-01-20 13:57 ` Russell Coker
2003-01-30 7:52 ` Brian May
2003-01-30 7:58 ` Brian May
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.