Re: SELinux: avc_has_perm: unexpected error 22

["Justin P. Mattock" <justinmattock@gmail.com>]

On 03/24/2011 01:24 PM, Stephen Smalley wrote:
> On Thu, 2011-03-24 at 13:22 -0700, Justin P. Mattock wrote:
>> On 03/24/2011 01:13 PM, Stephen Smalley wrote:
>>> On Thu, 2011-03-24 at 09:26 -0700, Justin P. Mattock wrote:
>>>> On 03/24/2011 06:58 AM, Stephen Smalley wrote:
>>>>> On Wed, 2011-03-23 at 19:30 -0700, Justin P. Mattock wrote:
>>>>>> On 03/23/2011 11:07 AM, Justin P. Mattock wrote:
>>>>>>> On 03/21/2011 09:52 AM, Justin P. Mattock wrote:
>>>>>>>> this is showing up with the latest Mainline kernel.
>>>>>>>> gdm craps out..:
>>>>>>>>
>>>>>>>> [ 60.817] (II) Unloading synaptics
>>>>>>>> [ 60.822] SELinux: avc_has_perm: unexpected error 22
>>>>>>>> [ 60.822] SELinux: avc_has_perm: unexpected error 22
>>>>>>>> [ 60.828] SELinux: avc_has_perm: unexpected error 22
>>>>>>>> [ 60.831] SELinux: avc_has_perm: unexpected error 22
>>>>>>>> [ 60.871] SELinux: avc_has_perm: unexpected error 22
>>>>>>>> [ 60.871] SELinux: avc_has_perm: unexpected error 22
>>>>>>>> [ 60.881] (II) UnloadModule: "mouse"
>>>>>>>> [ 60.881] (II) Unloading mouse
>>>>>>>>
>>>>>>>>
>>>>>>>> full xorg.0.log is here:
>>>>>>>> http://fpaste.org/OOM2/
>>>>>>>>
>>>>>>>> Justin P. Mattock
>>>>>>>
>>>>>>> seems doing a bisect right now during the merge window is breaking,
>>>>>>> anyways looking through the commits I think this:
>>>>>>>
>>>>>>> http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=c53fa1ed92cd671a1dfb1e7569e9ab672612ddc6;hp=06dc94b1ed05f91e246315afeb1c652d6d0dc9ab
>>>>>>>
>>>>>>>
>>>>>>> might be what I am hitting, causing gdm to die out, as it starts.
>>>>>>>
>>>>>>> any ideas?
>>>>>>>
>>>>>>> Justin P. Mattock
>>>>>>
>>>>>> not sure if anybody is seeing this or hitting this with the current,
>>>>>> but reverting the above commit does not fix the problem.
>>>>>> will try another bisect(hopefully)
>>>>>
>>>>> Are you sure it is a kernel issue?  Seems more likely that it would be a
>>>>> policy problem.  What AVC denials are you getting?
>>>>>
>>>>
>>>>
>>>> strange.. was not even thinking of the avc's because the policy has
>>>> already been customized and has been working for a while now without
>>>> adding any rules.
>>>>
>>>> Anyways your right, seems the labels get changed or something with this
>>>> kernel or something:
>>>> http://fpaste.org/w4nK/
>>>
>>> audit(1300983537.941:34): security_compute_sid:  invalid context
>>> system_u:system_r:root_xdrawable_t:s0-s0:c0.c1023 for
>>> scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023
>>> tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tclass=x_drawable
>>>
>>> This looks like it might be a kernel regression after all.
>>> security_compute_sid should return object_r for tclass x_drawable, not
>>> system_r.  Likely due to the recent changes there to support socket type
>>> transitions.  Not sure exactly what is going wrong, as it should only
>>> happen on the socket classes.
>>>
>>
>> alright!!
>>
>> as for good kernel:
>> 2.6.38-00071-g5a69473
>> is the last good one I have, so bisecting wont be too much but if I hit
>> the breakage like last time it might slow things down and/or ruin the
>> bisect.
>
> If it is what I think it is, then the breakage would be commit
> 6f5317e730505d5cbc851c435a2dfe3d5a21d343
>

yep!

reverting that commit gets gdm to not crap out.
full dmesg here:
http://fpaste.org/34DC/

Justin P. Mattock

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.