From: "Nick 'Zaf' Clifford" <zaf@nrc.co.nz>
To: linux-kernel@vger.kernel.org
Cc: Zaf <zaf@nrc.co.nz>
Subject: if (2.6.24.1 && capset && bind9) bug()
Date: Tue, 12 Feb 2008 00:46:26 +1300 [thread overview]
Message-ID: <47B03592.20505@nrc.co.nz> (raw)
Please CC me on any/all replies
After trying to upgrade to deal with the most recent security issue, I
have encountered what has to either be me being very tired, or a kernel
bug. After assuming that it was the former for 3 hours, I now conclude
I'm more tired, and it has to be the latter.
Relevant versions:
Bind: 9.3.4
Kernel: Linux version 2.6.24.1.cerberus.1 (zaf@cerberus) (gcc version
4.1.2 (Ubuntu 4.1.2-0ubuntu4)) #1 SMP Mon Feb 11 20:05:58 NZDT 2008
Distro: Ubuntu Feisty
Processor: AMD Athlon
# cat /proc/cmdline
root=UUID=0996d997-a1f5-4601-964e-f3e71a477b81 ro quiet splash
Relevant .config settings (please let me know if more are needed):
CONFIG_SECURITY=y
CONFIG_SECURITY_NETWORK=y
# CONFIG_SECURITY_NETWORK_XFRM is not set
CONFIG_SECURITY_CAPABILITIES=y
# CONFIG_SECURITY_FILE_CAPABILITIES is not set
CONFIG_SECURITY_SELINUX=y
CONFIG_SECURITY_SELINUX_BOOTPARAM=y
CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=0
CONFIG_SECURITY_SELINUX_DISABLE=y
CONFIG_SECURITY_SELINUX_DEVELOP=y
CONFIG_SECURITY_SELINUX_AVC_STATS=y
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
# CONFIG_SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT is not set
# CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX is not set
(Note: tried with CONFIG_SECURITY_CAPABILITIES=n and same result)
relevant line from strace starting bind:
# strace -ff named -u bind 2> /tmp/bind.log
...
capset(0x19980330, 0,
{CAP_DAC_READ_SEARCH|CAP_SETGID|CAP_SETUID|CAP_NET_BIND_SERVICE|CAP_SYS_CHROOT|CAP_SYS_RESOURCE,
CAP
_DAC_READ_SEARCH|CAP_SETGID|CAP_SETUID|CAP_NET_BIND_SERVICE|CAP_SYS_CHROOT|CAP_SYS_RESOURCE,
0}) = -1 EPERM (Operation not
permitted)
...
What have I tried?
Tried it on two different systems, with the SEC CAP on and off.
Why do I think this is a kernel bug?
1) I revert to older kernel (2.6.22.1), no problems. Upgrade to
2.6.24.1. Problems.
2) Googling for "2.6.24 capset named" produces a lot of comments on the
mm tree about a breakage. It looked like it was fixed, but I'm obviously
not sure now.
So, someone please tell me either that I'm very very tired, and it must
be my config, or that it IS a kernel bug, and hopefully provide a nice
little patch to apply.
Once again, please CC me on replies,
Thanks,
Nick
next reply other threads:[~2008-02-11 12:27 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-02-11 11:46 Nick 'Zaf' Clifford [this message]
2008-02-12 3:38 ` if (2.6.24.1 && capset && bind9) bug() serge
2008-02-12 6:10 ` if (2.6.24.1 && capset && bind9) bug() --RESOVLED Nick 'Zaf' Clifford
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=47B03592.20505@nrc.co.nz \
--to=zaf@nrc.co.nz \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox