Re: [Bug #11271] BUG: fealnx in 2.6.27-rc1

Re: [Bug #11271] BUG: fealnx in 2.6.27-rc1

[Jaswinder Singh]

Hello all,

On Fri, Sep 12, 2008 at 3:06 PM, Rafael J. Wysocki <rjw-KKrjLPT3xs0@public.gmane.org> wrote:

> Bug-Entry       : http://bugzilla.kernel.org/show_bug.cgi?id=11271
> Subject         : BUG: fealnx in 2.6.27-rc1
> Submitter       : Jaswinder Singh <jaswinderlinux-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
> Date            : 2008-08-05 14:58 (39 days old)
> References      : http://marc.info/?l=linux-netdev&m=121794762016830&w=4
>                  http://lkml.org/lkml/2008/8/10/98

I am sorry for delay.

Now I am testing for same problem with  2.6.27-rc6.:
1. On different MYSON Technology Inc SURECOM EP-320X-S 100/10M
Ethernet PCI Adapters
2. On different Linux PCs
3. With different Ethernet switches which supports 100 Mb
4. With different CAT 5 ethernet cables which supports 100 Mb
5. Also checking old patches on fealnx as per Jeff.

And it seems, I am getting following error, with few ethernet switches
and cables and when I switch ethernet cables  :
"NETDEV WATCHDOG: eth0 (fealnx): transmit timed out
eth0: Transmit timed out, status 00000000, resetting..."

Now I am trying to confirm that problem is coming from ethernet
switches and cables.

I am also facing one more Issue :

With same 100 Mb ethernet switch and cable my another NIC run at 100
Mb/s and full duplex but MYSON Technology Inc SURECOM EP-320X-S
100/10M runs on 10 Mb/s and half duplex.

I debug fealnx it says : PHYType 1 duplex_mode : 2 line_speed : 2
crvalue : 0xe40e61 bcrvalue : 0x10 imrvalue : 0x46c flags : 0x1

So it is saying duplex_mode : 2 (full duplex) and line_speed = 2
(100M) then why I am getting 10MB half duplex ?

#lspci -vv
02:02.0 Ethernet controller: MYSON Technology Inc SURECOM EP-320X-S
100/10M Ethernet PCI Adapter
        Subsystem: MYSON Technology Inc SURECOM EP-320X-S 100/10M
Ethernet PCI Adapter
        Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV+ VGASnoop-
ParErr- Stepping- SERR- FastB2B- DisINTx-
        Status: Cap+ 66MHz- UDF- FastB2B+ ParErr- DEVSEL=medium
>TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
        Latency: 32 (8000ns min, 16000ns max), Cache Line Size: 64 bytes
        Interrupt: pin A routed to IRQ 17
        Region 0: I/O ports at b800 [size=256]
        Region 1: Memory at ff9ffc00 (32-bit, non-prefetchable) [size=1K]
        Expansion ROM at 50000000 [disabled] [size=64K]
        Capabilities: [88] Power Management version 2
                Flags: PMEClk- DSI- D1+ D2- AuxCurrent=375mA
PME(D0-,D1+,D2-,D3hot+,D3cold+)
                Status: D0 PME-Enable- DSel=0 DScale=0 PME-
        Kernel driver in use: fealnx

#/sbin/ethtool eth0
Settings for eth0:
        Supported ports: [ TP MII ]
        Supported link modes:   10baseT/Half 10baseT/Full
                                100baseT/Half 100baseT/Full
        Supports auto-negotiation: Yes
        Advertised link modes:  Not reported
        Advertised auto-negotiation: No
        Speed: 10Mb/s
        Duplex: Half
        Port: MII
        PHYAD: 32
        Transceiver: internal
        Auto-negotiation: off
        Current message level: 0x00000000 (0)
        Link detected: no

Thank you,

Jaswinder Singh.

Re: [Bug #11500] /proc/net bug related to selinux

[Andrew Morton]

On Mon, 15 Sep 2008 09:05:26 -0400
Stephen Smalley <sds-+05T5uksL2qpZYMLLGbcSA@public.gmane.org> wrote:

> 
> On Sat, 2008-09-13 at 12:37 -0700, Andrew Morton wrote:
> > On Sat, 13 Sep 2008 10:15:43 +1000 (EST) James Morris <jmorris-gx6/JNMH7DfYtjvyW6yDsg@public.gmane.org> wrote:
> > 
> > > On Fri, 12 Sep 2008, Andrew Morton wrote:
> > > 
> > > > > > Bug-Entry	: http://bugzilla.kernel.org/show_bug.cgi?id=11500
> > > > > > Subject		: /proc/net bug related to selinux
> > > > > > Submitter	: Andrew Morton <akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>
> > > > > > Date		: 2008-09-04 17:45 (9 days old)
> > > > > > References	: http://marc.info/?l=linux-kernel&m=122055041313270&w=4
> > > > > 
> > > > > I think this might be a regression caused by namespace changes which we 
> > > 
> > > By which I mean, this was caused by a non-SELinux change to the upstream 
> > > kernel many, many eons ago.
> > 
> > hm, seems that 2.6.24 is OK but 2.6.25 is not.  I must have missed the
> > bug when testing 2.6.25-based kernels.
> > 
> > I started a git bisection search but after half an hour I hit bad
> > bisection breakage: a complete machine hang in fib_rules_init().
> > 
> > > > > addressed in SELinux policy.  Which distro version & policy version is 
> > > > > this seen with?
> > > > > 
> > > > 
> > > > FC5 on x86_32 and FC6 on x86_64.
> > > 
> > > As mentioned in the bugzilla, any related avc messages would be useful.
> > 
> > 2.6.25 dmesg: http://userweb.kernel.org/~akpm/dmesg-sony.txt
> > /var/log/messages: http://userweb.kernel.org/~akpm/messages-sony.txt
> > 
> > The latter includes this:
> > 
> > Sep 13 12:32:43 sony kernel: SELinux:  class key not defined in policy
> > Sep 13 12:32:43 sony kernel: SELinux:  class dccp_socket not defined in policy
> > Sep 13 12:32:43 sony kernel: SELinux:  class memprotect not defined in policy
> > Sep 13 12:32:43 sony kernel: SELinux:  class peer not defined in policy
> > Sep 13 12:32:43 sony kernel: SELinux:  class capability2 not defined in policy
> > Sep 13 12:32:43 sony kernel: SELinux:  permission open in class dir not defined in policy
> > Sep 13 12:32:43 sony kernel: SELinux:  permission open in class file not defined in policy
> > Sep 13 12:32:43 sony kernel: SELinux:  permission open in class chr_file not defined in policy
> > Sep 13 12:32:43 sony kernel: SELinux:  permission open in class blk_file not defined in policy
> > Sep 13 12:32:43 sony kernel: SELinux:  permission open in class fifo_file not defined in policy
> > Sep 13 12:32:43 sony kernel: SELinux:  permission dccp_recv in class node not defined in policy
> > Sep 13 12:32:43 sony kernel: SELinux:  permission dccp_send in class node not defined in policy
> > Sep 13 12:32:43 sony kernel: SELinux:  permission recvfrom in class node not defined in policy
> > Sep 13 12:32:43 sony kernel: SELinux:  permission sendto in class node not defined in policy
> > Sep 13 12:32:43 sony kernel: SELinux:  permission dccp_recv in class netif not defined in policy
> > Sep 13 12:32:43 sony kernel: SELinux:  permission dccp_send in class netif not defined in policy
> > Sep 13 12:32:43 sony kernel: SELinux:  permission ingress in class netif not defined in policy
> > Sep 13 12:32:43 sony kernel: SELinux:  permission egress in class netif not defined in policy
> > Sep 13 12:32:44 sony kernel: SELinux:  permission setkeycreate in class process not defined in policy
> > Sep 13 12:32:44 sony kernel: SELinux:  permission setsockcreate in class process not defined in policy
> > Sep 13 12:32:44 sony kernel: SELinux:  permission setfcap in class capability not defined in policy
> > Sep 13 12:32:44 sony kernel: SELinux:  permission polmatch in class association not defined in policy
> > Sep 13 12:32:44 sony kernel: SELinux:  permission flow_in in class packet not defined in policy
> > Sep 13 12:32:44 sony kernel: SELinux:  permission flow_out in class packet not defined in policy
> > Sep 13 12:32:44 sony kernel: SELinux:  permission forward_in in class packet not defined in policy
> > Sep 13 12:32:44 sony kernel: SELinux:  permission forward_out in class packet not defined in policy
> > Sep 13 12:32:44 sony kernel: SELinux: the above unknown classes and permissions will be denied
> > Sep 13 12:32:44 sony kernel: type=1403 audit(1221309118.644:3): policy loaded auid=4294967295 ses=4294967295
> > Sep 13 12:32:44 sony kernel: type=1400 audit(1221334321.726:4): avc:  denied  { audit_write } for  pid=400 comm="hwclock" capability=29 scontext=system_u:system_r:hwclock_t:s0 tcontext=system_u:system_r:hwclock_t:s0 tclass=capability
> > 
> > 
> > Why am I seeing this on two machines and two vanilla-installed distros
> > but nobody else is reporting it?

Running `ls -l /proc/net' on the FC6 machine produces:

[  132.591215] type=1400 audit(1221679672.590:10): avc:  denied  { getattr } for  pid=4389 comm="ls" path="/proc/net" dev=proc ino=4026531867 scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=lnk_file


> What we actually need to see is the output of:
> /sbin/ausearch -i -m AVC -sv no

akpm2:/home/akpm# /sbin/ausearch -i -m AVC -sv no 
<no matches>

> However, the most likely explanation is simply that when /proc/net was
> changed from being a directory to being a symlink to /proc/self/net,
> that introduced an additional permission check on accesses
> of /proc/net/<whatever>, namely the read check on the symlink itself.
> And since that check wasn't happening on /proc/net accesses with older
> kernels, older policies didn't allow it.
> 
> As to why others haven't reported it, I expect that they have updated
> their policies to newer ones that allow the necessary access.  The fact
> that legacy distros wouldn't have such updated policies isn't surprising
> - they don't push updates to those distros for new kernels.  FC5 and FC6
> are both EOL'd, right?
> 
> In any event, we didn't change anything in SELinux - the change was
> elsewhere (in the proc/net implementation).  Don't blame the messenger
> please.
> 

Vanilla FC5 broke and vanilla FC6 broke.  Did vanilla FC7, 8 or 9 break?

http://smolt.fedoraproject.org/static/stats/stats.html shows 11,000-odd
people running FC5 and FC6.  It would be incautious to assume that all
those people have updated their selinux rules.

And _requiring_ people to update their selinux rules to fix a
kernel-caused regression is a pretty big deal for some people, I
expect.

Then again, given that this regression has been out there since 2.6.25,
I guess not too many people are hurting from it.  But we suck.

Re: [Bug #11500] /proc/net bug related to selinux

[Paul Moore]

On Wednesday 17 September 2008 3:50:53 pm Andrew Morton wrote:
> On Mon, 15 Sep 2008 09:05:26 -0400
> Stephen Smalley <sds@tycho.nsa.gov> wrote:
> > However, the most likely explanation is simply that when /proc/net
> > was changed from being a directory to being a symlink to
> > /proc/self/net, that introduced an additional permission check on
> > accesses of /proc/net/<whatever>, namely the read check on the
> > symlink itself. And since that check wasn't happening on /proc/net
> > accesses with older kernels, older policies didn't allow it.
> >
> > As to why others haven't reported it, I expect that they have
> > updated their policies to newer ones that allow the necessary
> > access.  The fact that legacy distros wouldn't have such updated
> > policies isn't surprising - they don't push updates to those
> > distros for new kernels.  FC5 and FC6 are both EOL'd, right?
> >
> > In any event, we didn't change anything in SELinux - the change was
> > elsewhere (in the proc/net implementation).  Don't blame the
> > messenger please.
>
> Vanilla FC5 broke and vanilla FC6 broke.  Did vanilla FC7, 8 or 9
> break?
>
> http://smolt.fedoraproject.org/static/stats/stats.html shows
> 11,000-odd people running FC5 and FC6.  It would be incautious to
> assume that all those people have updated their selinux rules.
>
> And _requiring_ people to update their selinux rules to fix a
> kernel-caused regression is a pretty big deal for some people, I
> expect.

Just so I'm clear on the context of the problem, it sounds like if a FC5 
(I'm limiting myself to FC5 for the moment) user upgraded to a recent 
(2.6.25+) kernel (non-distro supplied in the case of FC5) then they 
will run into problems unless they also upgrade their SELinux policy, 
yes?

If that is the case I'm not sure it is really that big of a deal.  Maybe 
I'm in the minority here, but in my mind once you step away from the 
distro supplied kernel (also applies to other packages, although those 
are arguably less critical) you should also bear the responsibility to 
make sure you upgrade/tweak/install whatever other bits need to be 
fixed.

> Then again, given that this regression has been out there since
> 2.6.25, I guess not too many people are hurting from it.  But we
> suck.

We suck?  Maybe, but some explanation about why we suck in this 
particular case would be helpful as far as I'm concerned.  I don't 
really care about identifying the guilty suckees, I'm more interested 
in finding out what happened to cause us to suck because of this.

-- 
paul moore
linux @ hp

Re: [Bug #11500] /proc/net bug related to selinux

[Eric W. Biederman]

Paul Moore <paul.moore@hp.com> writes:

> We suck?  Maybe, but some explanation about why we suck in this 
> particular case would be helpful as far as I'm concerned.  I don't 
> really care about identifying the guilty suckees, I'm more interested 
> in finding out what happened to cause us to suck because of this.

Agreed.  I believe we carefully gave selinux the same paths for /proc/net
that it had before so I don't know why this affects user space.

I know we had some selinux review when we made the change.

Eric

Re: [Bug #11500] /proc/net bug related to selinux

[Andrew Morton]

On Wed, 17 Sep 2008 17:24:36 -0400
Paul Moore <paul.moore@hp.com> wrote:

> On Wednesday 17 September 2008 3:50:53 pm Andrew Morton wrote:
> > On Mon, 15 Sep 2008 09:05:26 -0400
> > Stephen Smalley <sds@tycho.nsa.gov> wrote:
> > > However, the most likely explanation is simply that when /proc/net
> > > was changed from being a directory to being a symlink to
> > > /proc/self/net, that introduced an additional permission check on
> > > accesses of /proc/net/<whatever>, namely the read check on the
> > > symlink itself. And since that check wasn't happening on /proc/net
> > > accesses with older kernels, older policies didn't allow it.
> > >
> > > As to why others haven't reported it, I expect that they have
> > > updated their policies to newer ones that allow the necessary
> > > access.  The fact that legacy distros wouldn't have such updated
> > > policies isn't surprising - they don't push updates to those
> > > distros for new kernels.  FC5 and FC6 are both EOL'd, right?
> > >
> > > In any event, we didn't change anything in SELinux - the change was
> > > elsewhere (in the proc/net implementation).  Don't blame the
> > > messenger please.
> >
> > Vanilla FC5 broke and vanilla FC6 broke.  Did vanilla FC7, 8 or 9
> > break?
> >
> > http://smolt.fedoraproject.org/static/stats/stats.html shows
> > 11,000-odd people running FC5 and FC6.  It would be incautious to
> > assume that all those people have updated their selinux rules.
> >
> > And _requiring_ people to update their selinux rules to fix a
> > kernel-caused regression is a pretty big deal for some people, I
> > expect.
> 
> Just so I'm clear on the context of the problem, it sounds like if a FC5 
> (I'm limiting myself to FC5 for the moment) user upgraded to a recent 
> (2.6.25+) kernel (non-distro supplied in the case of FC5) then they 
> will run into problems unless they also upgrade their SELinux policy, 
> yes?

That only true if the 2.6.25+ kernel.org kernel is
backward-incompatible with the distro kernel.

> If that is the case I'm not sure it is really that big of a deal.  Maybe 
> I'm in the minority here, but in my mind once you step away from the 
> distro supplied kernel (also applies to other packages, although those 
> are arguably less critical) you should also bear the responsibility to 
> make sure you upgrade/tweak/install whatever other bits need to be 
> fixed.

Nope.  Releasing a non-backward-compatible kernel.org kernel is a big
deal.

We'll do it sometimes, with long notice, much care and much deliberation.

We did it this time by sheer accident.  That's known in the trade as a
"bug".

> > Then again, given that this regression has been out there since
> > 2.6.25, I guess not too many people are hurting from it.  But we
> > suck.
> 
> We suck?  Maybe, but some explanation about why we suck in this 
> particular case would be helpful as far as I'm concerned.  I don't 
> really care about identifying the guilty suckees, I'm more interested 
> in finding out what happened to cause us to suck because of this.

Because we unintentionally and unknowingly released a kernel which is
not compatible with previous kernels without notifying any of our users
and without any consideration or planning.

Yes, often the consequences of the screwup are fairly small, but it's a
screwup nonetheless.



We don't even know the extent of the damage yet.  Which distros were
affected? With which versions of which userspace packages?

Re: [Bug #11500] /proc/net bug related to selinux

[Eric W. Biederman]

Andrew Morton <akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org> writes:

> On Mon, 15 Sep 2008 09:05:26 -0400
> Stephen Smalley <sds-+05T5uksL2qpZYMLLGbcSA@public.gmane.org> wrote:

>> On Sat, 2008-09-13 at 12:37 -0700, Andrew Morton wrote:
>> However, the most likely explanation is simply that when /proc/net was
>> changed from being a directory to being a symlink to /proc/self/net,
>> that introduced an additional permission check on accesses
>> of /proc/net/<whatever>, namely the read check on the symlink itself.
>> And since that check wasn't happening on /proc/net accesses with older
>> kernels, older policies didn't allow it.

>> As to why others haven't reported it, I expect that they have updated
>> their policies to newer ones that allow the necessary access.  The fact
>> that legacy distros wouldn't have such updated policies isn't surprising
>> - they don't push updates to those distros for new kernels.  FC5 and FC6
>> are both EOL'd, right?
>> 
>> In any event, we didn't change anything in SELinux - the change was
>> elsewhere (in the proc/net implementation).  Don't blame the messenger
>> please.
>> 
>
> Vanilla FC5 broke and vanilla FC6 broke.  Did vanilla FC7, 8 or 9 break?
>
> http://smolt.fedoraproject.org/static/stats/stats.html shows 11,000-odd
> people running FC5 and FC6.  It would be incautious to assume that all
> those people have updated their selinux rules.
>
> And _requiring_ people to update their selinux rules to fix a
> kernel-caused regression is a pretty big deal for some people, I
> expect.

> Then again, given that this regression has been out there since 2.6.25,
> I guess not too many people are hurting from it.  But we suck.

Looking at this discussion closely from what I see selinux is designed
to work on the principle of least privilege.  If you make a user space
visible but compatible change, selinux will keep the system until
you update selinux.  Is selinux exposing too much to user space?
    
selinux was taken into consideration when the change was made.
The patch was even updated with feedback from Stephen Smiley.

> commit e9720acd728a46cb40daa52c99a979f7c4ff195c
> Author: Pavel Emelyanov <xemul-GEFAQzZX7r8dnm+yROfE0A@public.gmane.org>
> Date:   Fri Mar 7 11:08:40 2008 -0800
> 
>     [NET]: Make /proc/net a symlink on /proc/self/net (v3)
>     
>     Current /proc/net is done with so called "shadows", but current
>     implementation is broken and has little chances to get fixed.
>     
>     The problem is that dentries subtree of /proc/net directory has
>     fancy revalidation rules to make processes living in different
>     net namespaces see different entries in /proc/net subtree, but
>     currently, tasks see in the /proc/net subdir the contents of any
>     other namespace, depending on who opened the file first.
>     
>     The proposed fix is to turn /proc/net into a symlink, which points
>     to /proc/self/net, which in turn shows what previously was in
>     /proc/net - the network-related info, from the net namespace the
>     appropriate task lives in.
>     
>     # ls -l /proc/net
>     lrwxrwxrwx  1 root root 8 Mar  5 15:17 /proc/net -> self/net
>     
>     In other words - this behaves like /proc/mounts, but unlike
>     "mounts", "net" is not a file, but a directory.
>     
>     Changes from v2:
>     * Fixed discrepancy of /proc/net nlink count and selinux labeling
>       screwup pointed out by Stephen.
>     
>       To get the correct nlink count the ->getattr callback for /proc/net
>       is overridden to read one from the net->proc_net entry.
>     
>       To make selinux still work the net->proc_net entry is initialized
>       properly, i.e. with the "net" name and the proc_net parent.
>     
>     Selinux fixes are
>     Acked-by:  Stephen Smalley <sds-+05T5uksL2qpZYMLLGbcSA@public.gmane.org>
>     
>     Changes from v1:
>     * Fixed a task_struct leak in get_proc_task_net, pointed out by Paul.
>     
>     Signed-off-by: Pavel Emelyanov <xemul-GEFAQzZX7r8dnm+yROfE0A@public.gmane.org>
>     Acked-by: "Eric W. Biederman" <ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
>     Signed-off-by: David S. Miller <davem-fT/PcQaiUtIeIZ0/mPfg9Q@public.gmane.org>

Re: [Bug #11500] /proc/net bug related to selinux

[Andrew Morton]

On Wed, 17 Sep 2008 14:39:45 -0700
ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org (Eric W. Biederman) wrote:

> Paul Moore <paul.moore-VXdhtT5mjnY@public.gmane.org> writes:
> 
> > We suck?  Maybe, but some explanation about why we suck in this 
> > particular case would be helpful as far as I'm concerned.  I don't 
> > really care about identifying the guilty suckees, I'm more interested 
> > in finding out what happened to cause us to suck because of this.
> 
> Agreed.  I believe we carefully gave selinux the same paths for /proc/net
> that it had before so I don't know why this affects user space.
> 
> I know we had some selinux review when we made the change.
> 
> Eric

It's back up-thread somewhere.  umm...

On Mon, 15 Sep 2008 09:05:26 -0400
Stephen Smalley <sds-+05T5uksL2qpZYMLLGbcSA@public.gmane.org> wrote:

> However, the most likely explanation is simply that when /proc/net was
> changed from being a directory to being a symlink to /proc/self/net,
> that introduced an additional permission check on accesses
> of /proc/net/<whatever>, namely the read check on the symlink itself.
> And since that check wasn't happening on /proc/net accesses with older
> kernels, older policies didn't allow it.

Re: [Bug #11500] /proc/net bug related to selinux

[Paul Moore]

On Wednesday 17 September 2008 5:48:42 pm Andrew Morton wrote:
> On Wed, 17 Sep 2008 17:24:36 -0400
>
> Paul Moore <paul.moore@hp.com> wrote:
> > On Wednesday 17 September 2008 3:50:53 pm Andrew Morton wrote:
> > > On Mon, 15 Sep 2008 09:05:26 -0400
> > >
> > > Stephen Smalley <sds@tycho.nsa.gov> wrote:
> > > > However, the most likely explanation is simply that when
> > > > /proc/net was changed from being a directory to being a symlink
> > > > to /proc/self/net, that introduced an additional permission
> > > > check on accesses of /proc/net/<whatever>, namely the read
> > > > check on the symlink itself. And since that check wasn't
> > > > happening on /proc/net accesses with older kernels, older
> > > > policies didn't allow it.
> > > >
> > > > As to why others haven't reported it, I expect that they have
> > > > updated their policies to newer ones that allow the necessary
> > > > access.  The fact that legacy distros wouldn't have such
> > > > updated policies isn't surprising - they don't push updates to
> > > > those distros for new kernels.  FC5 and FC6 are both EOL'd,
> > > > right?
> > > >
> > > > In any event, we didn't change anything in SELinux - the change
> > > > was elsewhere (in the proc/net implementation).  Don't blame
> > > > the messenger please.
> > >
> > > Vanilla FC5 broke and vanilla FC6 broke.  Did vanilla FC7, 8 or 9
> > > break?
> > >
> > > http://smolt.fedoraproject.org/static/stats/stats.html shows
> > > 11,000-odd people running FC5 and FC6.  It would be incautious to
> > > assume that all those people have updated their selinux rules.
> > >
> > > And _requiring_ people to update their selinux rules to fix a
> > > kernel-caused regression is a pretty big deal for some people, I
> > > expect.
> >
> > Just so I'm clear on the context of the problem, it sounds like if
> > a FC5 (I'm limiting myself to FC5 for the moment) user upgraded to
> > a recent (2.6.25+) kernel (non-distro supplied in the case of FC5)
> > then they will run into problems unless they also upgrade their
> > SELinux policy, yes?
>
> That only true if the 2.6.25+ kernel.org kernel is
> backward-incompatible with the distro kernel.

Yep, just wanted to make sure I was understanding the problem correctly.

> > If that is the case I'm not sure it is really that big of a deal. 
> > Maybe I'm in the minority here, but in my mind once you step away
> > from the distro supplied kernel (also applies to other packages,
> > although those are arguably less critical) you should also bear the
> > responsibility to make sure you upgrade/tweak/install whatever
> > other bits need to be fixed.
>
> Nope.  Releasing a non-backward-compatible kernel.org kernel is a big
> deal.

Well, there is also the issue of distro specific "special sauce" patches 
which might cause different behavior from the kernel.org kernel, but 
now we are starting to do down a rat hole ...

> We'll do it sometimes, with long notice, much care and much
> deliberation.
>
> We did it this time by sheer accident.  That's known in the trade as
> a "bug".

It is somewhat comforting to know that we can call what we do a "trade", 
further commentary on my part is best left to the imagination :)

> > > Then again, given that this regression has been out there since
> > > 2.6.25, I guess not too many people are hurting from it.  But we
> > > suck.
> >
> > We suck?  Maybe, but some explanation about why we suck in this
> > particular case would be helpful as far as I'm concerned.  I don't
> > really care about identifying the guilty suckees, I'm more
> > interested in finding out what happened to cause us to suck because
> > of this.
>
> Because we unintentionally and unknowingly released a kernel which is
> not compatible with previous kernels without notifying any of our
> users and without any consideration or planning.
>
> Yes, often the consequences of the screwup are fairly small, but it's
> a screwup nonetheless.

Okay, so we suck because broke something in 2.6.25 that went undetected 
because current SELinux policies happen to be compatible with the 
breakage.  Gotcha.

> We don't even know the extent of the damage yet.  Which distros were
> affected? With which versions of which userspace packages?

Can I assume that the "right" thing to do would be to find the problem 
and revert whatever change caused the issue, yes?  Or are we happy to 
wait and see since the fallout so far has been minimal?

-- 
paul moore
linux @ hp

Re: [Bug #11500] /proc/net bug related to selinux

[David Miller]

From: Paul Moore <paul.moore-VXdhtT5mjnY@public.gmane.org>
Date: Wed, 17 Sep 2008 17:24:36 -0400

> If that is the case I'm not sure it is really that big of a deal.  Maybe 
> I'm in the minority here, but in my mind once you step away from the 
> distro supplied kernel (also applies to other packages, although those 
> are arguably less critical) you should also bear the responsibility to 
> make sure you upgrade/tweak/install whatever other bits need to be 
> fixed.

No, we tend to call this breaking things instead.

Re: [Bug #11500] /proc/net bug related to selinux

[Andrew Morton]

On Wed, 17 Sep 2008 18:12:59 -0400
Paul Moore <paul.moore@hp.com> wrote:

> > We don't even know the extent of the damage yet.  Which distros were
> > affected? With which versions of which userspace packages?
> 
> Can I assume that the "right" thing to do would be to find the problem 
> and revert whatever change caused the issue, yes?  Or are we happy to 
> wait and see since the fallout so far has been minimal?

I don't think a revert is justified after all this time.  afaik I'm the
first person to notice the problem, and it's been out there for
multiple months.

However it would be good if we could find some not-completely-stinky
way of making the old userspace work.

otoh, people who are shipping 2.6.25- and 2.6.26-based distros probably
wouldn't want such a patch in their kernels anyway.

Re: [Bug #11500] /proc/net bug related to selinux

[Eric W. Biederman]

Andrew Morton <akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org> writes:

> We don't even know the extent of the damage yet.  Which distros were
> affected? With which versions of which userspace packages?

This seems to me to be an extremely fragile selinux user space policy.
In their code that derives security labels from path names.
Why don't we have AppArmor in the kernel again?

Further I don't see how we could have possibly have supported that user space
policy.  How can we apply a user space defined label required by the selinux
policy to a symlink that did not exist?

I expect cd /proc/self/net would work.  In your situation and you can
see /proc/self/net/dev.

Everything here sounds to me like that selinux policy is impossibly brittle.
And anything that is that brittle I have no intention in claiming is a bug
in proc.

Eric

Re: [Bug #11500] /proc/net bug related to selinux

[Eric W. Biederman]

Andrew Morton <akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org> writes:

> On Wed, 17 Sep 2008 18:12:59 -0400
> Paul Moore <paul.moore-VXdhtT5mjnY@public.gmane.org> wrote:
>
>> > We don't even know the extent of the damage yet.  Which distros were
>> > affected? With which versions of which userspace packages?
>> 
>> Can I assume that the "right" thing to do would be to find the problem 
>> and revert whatever change caused the issue, yes?  Or are we happy to 
>> wait and see since the fallout so far has been minimal?
>
> I don't think a revert is justified after all this time.  afaik I'm the
> first person to notice the problem, and it's been out there for
> multiple months.
>
> However it would be good if we could find some not-completely-stinky
> way of making the old userspace work.
>
> otoh, people who are shipping 2.6.25- and 2.6.26-based distros probably
> wouldn't want such a patch in their kernels anyway.

Disable selinux?

Get a selinux mystic to update that selinux policy.  I bet it is a one line
change to each the policy about /proc/net as a symlink.

Although I am puzzled why we don't get the same label as /proc/net as a directory
had.

Eric

Re: [Bug #11500] /proc/net bug related to selinux

[Stephen Smalley]

On Wed, 2008-09-17 at 15:32 -0700, Eric W. Biederman wrote:
> Andrew Morton <akpm@linux-foundation.org> writes:
> 
> > We don't even know the extent of the damage yet.  Which distros were
> > affected? With which versions of which userspace packages?
> 
> This seems to me to be an extremely fragile selinux user space policy.
> In their code that derives security labels from path names.
> Why don't we have AppArmor in the kernel again?

I think I explained that one before - in the case of /proc, the only
stable basis we have for deducing the security properties / protection
requirements for a given entry is its name, and its name can be reliably
constructed from the kernel's internal proc_dir_entry tree w/o any
ambiguity or potential for userspace manipulation (unlike the pathname
returned by d_path for a normal file).  I'd agree that it isn't optimal,
but it is what we have.

> Further I don't see how we could have possibly have supported that user space
> policy.  How can we apply a user space defined label required by the selinux
> policy to a symlink that did not exist?

I'm not blaming anyone here, or trying to argue that the /proc/net
changes should be reverted.  What happened here is that a kernel
interface (/proc/net) changed in a subtle way that had a side effect on
permission checking, and we tried to hide that change at the time (in
terms of ensuring that the new /proc/self/net tree would still be
labeled correctly), and we missed the fact that there would still be a
new check on the symlink read that wouldn't be covered by existing
policy.

> Everything here sounds to me like that selinux policy is impossibly brittle.
> And anything that is that brittle I have no intention in claiming is a bug
> in proc.

I'm not arguing that this is a bug in proc or in selinux for that
matter.

I do however think that the mantra that we can't require users to update
policy for kernel changes is unsupportable in general.  The precise set
of permission checks on a given operation is not set in stone and it is
not part of the kernel/userland interface/contract.  Policy isn't
"userspace"; it governs what userspace can do, and it has to adapt to
kernel changes.

Users who are willing/able to run the latest kernel on their own w/o
waiting for a coordinated update of kernel and policy from their
distribution ought to be able to create a local policy module - it isn't
rocket science, and they can always fall back on audit2allow if they
need to do so.

-- 
Stephen Smalley
National Security Agency

Re: [Bug #11500] /proc/net bug related to selinux

[Stephen Smalley]

On Thu, 2008-09-18 at 08:38 -0400, Stephen Smalley wrote:
> On Wed, 2008-09-17 at 15:32 -0700, Eric W. Biederman wrote:
> > Andrew Morton <akpm@linux-foundation.org> writes:
> > 
> > > We don't even know the extent of the damage yet.  Which distros were
> > > affected? With which versions of which userspace packages?
> > 
> > This seems to me to be an extremely fragile selinux user space policy.
> > In their code that derives security labels from path names.
> > Why don't we have AppArmor in the kernel again?
> 
> I think I explained that one before - in the case of /proc, the only
> stable basis we have for deducing the security properties / protection
> requirements for a given entry is its name, and its name can be reliably
> constructed from the kernel's internal proc_dir_entry tree w/o any
> ambiguity or potential for userspace manipulation (unlike the pathname
> returned by d_path for a normal file).  I'd agree that it isn't optimal,
> but it is what we have.
> 
> > Further I don't see how we could have possibly have supported that user space
> > policy.  How can we apply a user space defined label required by the selinux
> > policy to a symlink that did not exist?
> 
> I'm not blaming anyone here, or trying to argue that the /proc/net
> changes should be reverted.  What happened here is that a kernel
> interface (/proc/net) changed in a subtle way that had a side effect on
> permission checking, and we tried to hide that change at the time (in
> terms of ensuring that the new /proc/self/net tree would still be
> labeled correctly), and we missed the fact that there would still be a
> new check on the symlink read that wouldn't be covered by existing
> policy.
> 
> > Everything here sounds to me like that selinux policy is impossibly brittle.
> > And anything that is that brittle I have no intention in claiming is a bug
> > in proc.
> 
> I'm not arguing that this is a bug in proc or in selinux for that
> matter.
> 
> I do however think that the mantra that we can't require users to update
> policy for kernel changes is unsupportable in general.  The precise set
> of permission checks on a given operation is not set in stone and it is
> not part of the kernel/userland interface/contract.  Policy isn't
> "userspace"; it governs what userspace can do, and it has to adapt to
> kernel changes.

I should note here that for changes to SELinux, we have gone out of our
way to avoid such breakage to date through the introduction of
compatibility switches, policy flags to enable any new checks, etc
(albeit at a cost in complexity and ever creeping compatibility code).
But changes to the rest of the kernel can just as easily alter the set
of permission checks that get applied on a given operation, and I don't
think we are always going to be able to guarantee that new kernel + old
policy will Just Work. 

> Users who are willing/able to run the latest kernel on their own w/o
> waiting for a coordinated update of kernel and policy from their
> distribution ought to be able to create a local policy module - it isn't
> rocket science, and they can always fall back on audit2allow if they
> need to do so.

-- 
Stephen Smalley
National Security Agency

Re: [Bug #11500] /proc/net bug related to selinux

[Eric W. Biederman]

Stephen Smalley <sds@tycho.nsa.gov> writes:

> On Thu, 2008-09-18 at 08:38 -0400, Stephen Smalley wrote:
>> I do however think that the mantra that we can't require users to update
>> policy for kernel changes is unsupportable in general.  The precise set
>> of permission checks on a given operation is not set in stone and it is
>> not part of the kernel/userland interface/contract.  Policy isn't
>> "userspace"; it governs what userspace can do, and it has to adapt to
>> kernel changes.
>
> I should note here that for changes to SELinux, we have gone out of our
> way to avoid such breakage to date through the introduction of
> compatibility switches, policy flags to enable any new checks, etc
> (albeit at a cost in complexity and ever creeping compatibility code).
> But changes to the rest of the kernel can just as easily alter the set
> of permission checks that get applied on a given operation, and I don't
> think we are always going to be able to guarantee that new kernel + old
> policy will Just Work. 

I know of at least 2 more directories that I intend to turn into
symlinks into somewhere under /proc/self.  How do we keep from
breaking selinux policies when I do that?

For comparison how do we handle sysfs? 
How do we handle device nodes in tmpfs?
Ultimately do we want to implement xattrs and inotify on /proc?  
Or is there another way that would simplify maintenance?

Eric

Re: [Bug #11500] /proc/net bug related to selinux

[Stephen Smalley]

On Thu, 2008-09-18 at 11:09 -0700, Eric W. Biederman wrote:
> Stephen Smalley <sds@tycho.nsa.gov> writes:
> 
> > On Thu, 2008-09-18 at 08:38 -0400, Stephen Smalley wrote:
> >> I do however think that the mantra that we can't require users to update
> >> policy for kernel changes is unsupportable in general.  The precise set
> >> of permission checks on a given operation is not set in stone and it is
> >> not part of the kernel/userland interface/contract.  Policy isn't
> >> "userspace"; it governs what userspace can do, and it has to adapt to
> >> kernel changes.
> >
> > I should note here that for changes to SELinux, we have gone out of our
> > way to avoid such breakage to date through the introduction of
> > compatibility switches, policy flags to enable any new checks, etc
> > (albeit at a cost in complexity and ever creeping compatibility code).
> > But changes to the rest of the kernel can just as easily alter the set
> > of permission checks that get applied on a given operation, and I don't
> > think we are always going to be able to guarantee that new kernel + old
> > policy will Just Work. 
> 
> I know of at least 2 more directories that I intend to turn into
> symlinks into somewhere under /proc/self.  How do we keep from
> breaking selinux policies when I do that?

I suspect we could tweak the logic in selinux_proc_get_sid() to always
label all symlinks under /proc with the base proc_t type already used
for e.g. /proc/self, at which point existing policies would be ok.

> For comparison how do we handle sysfs?

Unresolved; presently has a single label for all nodes.
See https://bugzilla.redhat.com/show_bug.cgi?id=228902
for prior discussion of fine-grained labeling support for sysfs.

> How do we handle device nodes in tmpfs?

udev has selinux support - looks up the appropriate context in a
userland config file (file_contexts) via libselinux matchpathcon(3) and
sets it upon creation.  tmpfs has long supported getting/setting
security.* attributes.

> Ultimately do we want to implement xattrs and inotify on /proc?  
> Or is there another way that would simplify maintenance?

If proc supported setxattr, then I suppose early userspace could label
it instead of the kernel needing to determine a label internally.  But
not sure how we'd cleanly migrate to avoid breakage with old userspace.

-- 
Stephen Smalley
National Security Agency

Re: [Bug #11500] /proc/net bug related to selinux

[david-gFPdbfVZQbY]

On Thu, 18 Sep 2008, Stephen Smalley wrote:

> On Thu, 2008-09-18 at 11:09 -0700, Eric W. Biederman wrote:
>> Stephen Smalley <sds-+05T5uksL2qpZYMLLGbcSA@public.gmane.org> writes:
>>
>>> On Thu, 2008-09-18 at 08:38 -0400, Stephen Smalley wrote:
>>>> I do however think that the mantra that we can't require users to update
>>>> policy for kernel changes is unsupportable in general.  The precise set
>>>> of permission checks on a given operation is not set in stone and it is
>>>> not part of the kernel/userland interface/contract.  Policy isn't
>>>> "userspace"; it governs what userspace can do, and it has to adapt to
>>>> kernel changes.
>>>
>>> I should note here that for changes to SELinux, we have gone out of our
>>> way to avoid such breakage to date through the introduction of
>>> compatibility switches, policy flags to enable any new checks, etc
>>> (albeit at a cost in complexity and ever creeping compatibility code).
>>> But changes to the rest of the kernel can just as easily alter the set
>>> of permission checks that get applied on a given operation, and I don't
>>> think we are always going to be able to guarantee that new kernel + old
>>> policy will Just Work.
>>
>> I know of at least 2 more directories that I intend to turn into
>> symlinks into somewhere under /proc/self.  How do we keep from
>> breaking selinux policies when I do that?
>
> I suspect we could tweak the logic in selinux_proc_get_sid() to always
> label all symlinks under /proc with the base proc_t type already used
> for e.g. /proc/self, at which point existing policies would be ok.

so if proc is mounted anywhere other then /proc the selinux policy would 
do odd things?

David Lang

>> For comparison how do we handle sysfs?
>
> Unresolved; presently has a single label for all nodes.
> See https://bugzilla.redhat.com/show_bug.cgi?id=228902
> for prior discussion of fine-grained labeling support for sysfs.
>
>> How do we handle device nodes in tmpfs?
>
> udev has selinux support - looks up the appropriate context in a
> userland config file (file_contexts) via libselinux matchpathcon(3) and
> sets it upon creation.  tmpfs has long supported getting/setting
> security.* attributes.
>
>> Ultimately do we want to implement xattrs and inotify on /proc?
>> Or is there another way that would simplify maintenance?
>
> If proc supported setxattr, then I suppose early userspace could label
> it instead of the kernel needing to determine a label internally.  But
> not sure how we'd cleanly migrate to avoid breakage with old userspace.
>
>

Re: [Bug #11500] /proc/net bug related to selinux

[Stephen Smalley]

On Fri, 2008-09-19 at 09:58 -0700, david@lang.hm wrote:
> On Thu, 18 Sep 2008, Stephen Smalley wrote:
> 
> > On Thu, 2008-09-18 at 11:09 -0700, Eric W. Biederman wrote:
> >> Stephen Smalley <sds@tycho.nsa.gov> writes:
> >>
> >>> On Thu, 2008-09-18 at 08:38 -0400, Stephen Smalley wrote:
> >>>> I do however think that the mantra that we can't require users to update
> >>>> policy for kernel changes is unsupportable in general.  The precise set
> >>>> of permission checks on a given operation is not set in stone and it is
> >>>> not part of the kernel/userland interface/contract.  Policy isn't
> >>>> "userspace"; it governs what userspace can do, and it has to adapt to
> >>>> kernel changes.
> >>>
> >>> I should note here that for changes to SELinux, we have gone out of our
> >>> way to avoid such breakage to date through the introduction of
> >>> compatibility switches, policy flags to enable any new checks, etc
> >>> (albeit at a cost in complexity and ever creeping compatibility code).
> >>> But changes to the rest of the kernel can just as easily alter the set
> >>> of permission checks that get applied on a given operation, and I don't
> >>> think we are always going to be able to guarantee that new kernel + old
> >>> policy will Just Work.
> >>
> >> I know of at least 2 more directories that I intend to turn into
> >> symlinks into somewhere under /proc/self.  How do we keep from
> >> breaking selinux policies when I do that?
> >
> > I suspect we could tweak the logic in selinux_proc_get_sid() to always
> > label all symlinks under /proc with the base proc_t type already used
> > for e.g. /proc/self, at which point existing policies would be ok.
> 
> so if proc is mounted anywhere other then /proc the selinux policy would 
> do odd things?

No, the logic doesn't care where proc is mounted.  Only the name
relative to the root of proc is used.

-- 
Stephen Smalley
National Security Agency

Re: [Bug #11500] /proc/net bug related to selinux

[Stephen Smalley]

On Thu, 2008-09-18 at 14:34 -0400, Stephen Smalley wrote:
> On Thu, 2008-09-18 at 11:09 -0700, Eric W. Biederman wrote:
> > Stephen Smalley <sds-+05T5uksL2qpZYMLLGbcSA@public.gmane.org> writes:
> > 
> > > On Thu, 2008-09-18 at 08:38 -0400, Stephen Smalley wrote:
> > >> I do however think that the mantra that we can't require users to update
> > >> policy for kernel changes is unsupportable in general.  The precise set
> > >> of permission checks on a given operation is not set in stone and it is
> > >> not part of the kernel/userland interface/contract.  Policy isn't
> > >> "userspace"; it governs what userspace can do, and it has to adapt to
> > >> kernel changes.
> > >
> > > I should note here that for changes to SELinux, we have gone out of our
> > > way to avoid such breakage to date through the introduction of
> > > compatibility switches, policy flags to enable any new checks, etc
> > > (albeit at a cost in complexity and ever creeping compatibility code).
> > > But changes to the rest of the kernel can just as easily alter the set
> > > of permission checks that get applied on a given operation, and I don't
> > > think we are always going to be able to guarantee that new kernel + old
> > > policy will Just Work. 
> > 
> > I know of at least 2 more directories that I intend to turn into
> > symlinks into somewhere under /proc/self.  How do we keep from
> > breaking selinux policies when I do that?
> 
> I suspect we could tweak the logic in selinux_proc_get_sid() to always
> label all symlinks under /proc with the base proc_t type already used
> for e.g. /proc/self, at which point existing policies would be ok.

FWIW, a fix for this issue has been applied to:
git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6#next

The particular commit can be viewed at:
http://git.kernel.org/?p=linux/kernel/git/jmorris/security-testing-2.6.git;a=commit;h=ea6b184f7d521a503ecab71feca6e4057562252b

This should address not only the /proc/net breakage but also any future
changes to turn existing directories into symlinks.

-- 
Stephen Smalley
National Security Agency