SE-Linux and 2.4.20

SE-Linux and 2.4.20

[Brian May]

Hello,

I have found I simply cannot use a 2.4.20 kernel with SE-Linux
support on my laptop computer with out it "hanging" after a while.

By this I mean random processes hang, and cannot be killed, even with
kill -9, and rebooting doesn't work.

Combinations tested:

2.4.19 + older selinux patch (v12) = OK
2.4.20 with SE-Linux (accidently) disabled = OK
2.4.20 with new SE-Linux patch (v12) = crashed before 30 minutes.
(was doing nothing but downloading files at the time with apt-get).

In all cases I have the same policy installed.

Any ideas on how to debug this problem further?
-- 
Brian May <bam@snoopy.apana.org.au>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SE-Linux and 2.4.20

[Dale Amon]

On Thu, Mar 20, 2003 at 11:22:46AM +1100, Brian May wrote:
> I have found I simply cannot use a 2.4.20 kernel with SE-Linux
> support on my laptop computer with out it "hanging" after a while.
> 
> By this I mean random processes hang, and cannot be killed, even with
> kill -9, and rebooting doesn't work.

Just as another data point: I had to back a 2.4.20
kernel off a firewall because it was oopsing in random
processes after a couple hours. Might not be related...
the kernel had crypto, freeswan and grsec, the oops
was during kernel paging. Are you seeing an OOPS when
you get the lockup?

-- 
------------------------------------------------------
       IN MY NAME:            Dale Amon, CEO/MD
  No Mushroom clouds over     Islandone Society
    London and New York.      www.islandone.org
------------------------------------------------------

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SE-Linux and 2.4.20

[Thor Kristoffersen]

Dale Amon writes:
> Just as another data point: I had to back a 2.4.20
> kernel off a firewall because it was oopsing in random
> processes after a couple hours. Might not be related...
> the kernel had crypto, freeswan and grsec, the oops
> was during kernel paging.

I think there may be reason to suspect that there is something wrong in the
LSM code, and not necessarily SELinux itself, because in my experience
  LIDS without LSM works fine.
  LIDS with LSM
    - works fine without X
    - OOPSes with X.
This pattern has been repeatable for me across several versions of Linux,
LIDS, and LSM.  I seem to recall that these OOPSes also occured at some
kind of paging request.


Thor

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SE-Linux and 2.4.20

[Stephen D. Smalley]

Brian May wrote:
> I have found I simply cannot use a 2.4.20 kernel with SE-Linux
> support on my laptop computer with out it "hanging" after a while.
> 
> By this I mean random processes hang, and cannot be killed, even with
> kill -9, and rebooting doesn't work.
> 
> Combinations tested:
> 
> 2.4.19 + older selinux patch (v12) = OK
> 2.4.20 with SE-Linux (accidently) disabled = OK
> 2.4.20 with new SE-Linux patch (v12) = crashed before 30 minutes.
> (was doing nothing but downloading files at the time with apt-get).
> 
> In all cases I have the same policy installed.
> 
> Any ideas on how to debug this problem further?

I haven't seen this behavior myself.  Was there anything useful in
/var/log/messages or the dmesg output, e.g. a kernel Oops message?  As
a reminder, we don't incorporate other bug fix patches in the
LSM/SELinux patches, so you do need to apply any other bug fix patches
that you want for the base kernel, e.g. the ext3 fixes for 2.4.20.

--
Stephen Smalley, NSA
sds@epoch.ncsc.mil


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SE-Linux and 2.4.20

[Brian May]

On Thu, Mar 20, 2003 at 11:12:27AM +0000, Dale Amon wrote:
> Just as another data point: I had to back a 2.4.20
> kernel off a firewall because it was oopsing in random
> processes after a couple hours. Might not be related...
> the kernel had crypto, freeswan and grsec, the oops
> was during kernel paging. Are you seeing an OOPS when
> you get the lockup?

No kernel OOPS.

My kernel also has freeswan support, too. It is a module though and not
loaded. Coincidence?

On Fri, Mar 21, 2003 at 11:04:32AM -0500, Stephen D. Smalley wrote:
> I haven't seen this behavior myself.  Was there anything useful in
> /var/log/messages or the dmesg output, e.g. a kernel Oops message?  As
> a reminder, we don't incorporate other bug fix patches in the
> LSM/SELinux patches, so you do need to apply any other bug fix patches
> that you want for the base kernel, e.g. the ext3 fixes for 2.4.20.

No useful messages.

No unexpected messages.

My debug.log file is badly currupted at the point of the crash, but
apart from that nothing unusual.

I use the Debian kernel source, which I believe is already patched
with the ext3 bug fix (at least according to the changelog it is).

I have also applied the ptrace security fixes, although the problem
happened before then.
-- 
Brian May <bam@snoopy.apana.org.au>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.