From: Russell Coker <russell@coker.com.au>
To: Tom <tom@lemuria.org>, selinux@tycho.nsa.gov
Cc: bam@snoopy.apana.org.au
Subject: Re: Debian Kernel Images
Date: Mon, 20 Jan 2003 14:57:53 +0100 [thread overview]
Message-ID: <200301201457.53609.russell@coker.com.au> (raw)
In-Reply-To: <20030120124808.A28400@lemuria.org>
[-- Attachment #1: Type: text/plain, Size: 1512 bytes --]
On Mon, 20 Jan 2003 12:48, Tom wrote:
> Jan 20 13:33:16 nsa3 kernel:
> SELinux: initialized (dev 00:00, type rootfs), not configured for labeling
> Jan 20 13:33:16 nsa3 kernel:
> Jan 20 13:33:16 nsa3 kernel: avc: denied { read } for pid=1
> exe=/sbin/init path=/ dev=00:00 ino=1 scontext=system_u:system_r:init_t
> tcontext=system_u:object_r:unlabeled_t tclass=dir
OK, so what you are seeing is a rootfs access due to the kernel
inappropriately failing to close some file handles in a kernel thread.
I have attached a patch to fix this, Brian please include it in your next
kernel build. Also are you using the Debian kernel-source package? If so
then a bug should be filed against it requesting the patch to be included. I
intentionally removed the patch in question when Steve added it to a LSM
patch because I believe that as it is not an LSM issue (just a general kernel
bug) it is not required in an LSM system (it is less necessary in a LSM
system than in a non-LSM system) and therefore is best avoided so that it
doesn't needlessly cause patch conflicts.
Please note that as far as I am aware I was the first person to discover this
2.4.20 kernel bug, and I did so through SE Linux blocking (and logging) the
inappropriate access.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
[-- Attachment #2: initrd.patch --]
[-- Type: text/x-diff, Size: 359 bytes --]
--- linux-2.4.20.lsm-old/init/do_mounts.c 2002-12-13 19:33:23.000000000 +0100
+++ linux-2.4.20.lsm/init/do_mounts.c 2002-12-13 19:36:48.000000000 +0100
@@ -812,6 +812,8 @@
/* switch root and cwd back to / of rootfs */
sys_fchdir(root_fd);
sys_chroot(".");
+ close(old_fd);
+ close(root_fd);
sys_umount("/old/dev", 0);
if (real_root_dev == ram0) {
next prev parent reply other threads:[~2003-01-20 13:58 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-01-20 11:48 Debian Kernel Images Tom
2003-01-20 13:57 ` Russell Coker [this message]
2003-01-30 7:52 ` Brian May
2003-01-30 7:58 ` Brian May
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200301201457.53609.russell@coker.com.au \
--to=russell@coker.com.au \
--cc=bam@snoopy.apana.org.au \
--cc=selinux@tycho.nsa.gov \
--cc=tom@lemuria.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.