From: Al Viro <viro@ZenIV.linux.org.uk>
To: Eric Paris <eparis@redhat.com>
Cc: Gene Heskett <gene.heskett@gmail.com>,
"Rafael J. Wysocki" <rjw@sisk.pl>,
James Morris <jmorris@namei.org>,
linux-kernel@vger.kernel.org, Stephen Smalley <sds@tycho.nsa.gov>,
aviro@redhat.com
Subject: Re: 2.6.27-rc1: strange fstab issue (Re: 2.6.27-rc1 + selinux new options = no httpd)
Date: Fri, 1 Aug 2008 15:02:24 +0100 [thread overview]
Message-ID: <20080801140223.GN28946@ZenIV.linux.org.uk> (raw)
In-Reply-To: <1217598479.2980.4.camel@localhost.localdomain>
On Fri, Aug 01, 2008 at 09:47:59AM -0400, Eric Paris wrote:
> On Fri, 2008-08-01 at 09:39 -0400, Gene Heskett wrote:
> > On Thursday 31 July 2008, Rafael J. Wysocki wrote:
> > Update by Gene below.
> > >On Thursday, 31 of July 2008, James Morris wrote:
> > >> On Thu, 31 Jul 2008, Gene Heskett wrote:
> > >> > >Which new options?
> > >> >
> > >> > Make xconfig-->security options:
> > >> >
> > >> > XFRM Networking security hooks
> > >> >
> > >> > and several others just below it. Unforch, I can't copy/paste the
> > >> > screen.
> > >>
> > >> I can't really imagine what that is (although if you enable the secmark
> > >> controls under the main SELinux menu, which are disabled by default,
> > >> there could be problems).
> > >
> > >On a possibly related note, I've been observing a strange issue on one of
> > >my test boxes with OpenSUSE 10.3 recently. Namely, the fsck complains
> > >that there's no passno value in the fstab, although it obviously is present.
> > >
> > >Strangely enough, if the kernel is compiled with CONFIG_SECURITY_SELINUX
> > > unset, the fsck doesn't complain about the missing passno field any more.
> > >
> > >Thanks,
> > >Rafael
> >
> > I just did a 2.6.27-rc1 rebuild on a pure, all defaults 'make oldconfig' from
> > my 2.6.26 final .config moved to that src tree.
> >
> > httpd is still being denied access to its log files and dies during the bootup.
> >
> > This is a showstopper for me.
>
> Stephen Smalley just sent me a private note. Apparently he is having
> e-mail trouble but he did point out the most likely problem. Can you
> add the patch from
>
> http://marc.info/?l=linux-kernel&m=121726661110266&w=2
>
> And give it a whirl? Sorry, but we think the problem is that the VFS
> stopped passing all of the relevant information down to the security
> system. https is only allowed to append to its log files, not actually
> 'write.' Since the VFS is longer differentiating those two operations
> you are getting then denial for write.
>
> I'll try to get this pushed into linus's tree quickly.
It's in linux-next, BTW. I'll push the next set to Linus in an hour or so.
next prev parent reply other threads:[~2008-08-01 14:02 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-07-31 2:54 2.6.27-rc1 + selinux new options = no httpd Gene Heskett
2008-07-31 3:36 ` Valdis.Kletnieks
2008-07-31 4:43 ` James Morris
2008-07-31 13:09 ` Gene Heskett
2008-07-31 14:44 ` Eric Paris
2008-07-31 17:47 ` Stephen Smalley
2008-08-01 18:52 ` Gene Heskett
2008-08-01 12:51 ` Stephen Smalley
2008-08-01 14:47 ` Al Viro
2008-07-31 20:02 ` James Morris
2008-07-31 22:17 ` 2.6.27-rc1: strange fstab issue (Re: 2.6.27-rc1 + selinux new options = no httpd) Rafael J. Wysocki
2008-08-01 13:39 ` Gene Heskett
2008-08-01 13:47 ` Eric Paris
2008-08-01 14:02 ` Al Viro [this message]
2008-08-01 14:13 ` Gene Heskett
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20080801140223.GN28946@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=aviro@redhat.com \
--cc=eparis@redhat.com \
--cc=gene.heskett@gmail.com \
--cc=jmorris@namei.org \
--cc=linux-kernel@vger.kernel.org \
--cc=rjw@sisk.pl \
--cc=sds@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox