Re: 2.6.7-rc2: open() hangs on ReiserFS with SELinux enabled

From: Stephen Smalley
Date: Wed Jun 02 2004 - 13:42:37 EST

Next message: Arthur Perry: "Re: GART Error 11"
Previous message: Davide Libenzi: "Re: [RFC PATCH] explicitly mark recursion count"
In reply to: Dmitry Baryshkov: "2.6.7-rc2: open() hangs on ReiserFS with SELinux enabled"
Next in thread: Dmitry Baryshkov: "Re: 2.6.7-rc2: open() hangs on ReiserFS with SELinux enabled"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 2004-06-02 at 13:48, Dmitry Baryshkov wrote:
> Hello,
>
> I tried enabling SELinux on my Linux-box, using ReiserFS as /, kernel
> 2.6.7-rc2.
>
> After relabeling and rebooting in non-enforcing mode everything worked
> well, exept the fact, that new files on reiserfs filesystems don't get
> security attributes.
>
> So I added 'fs_use_xattr reiserfs system_u:object_r:fs_t;' to the policy,
> rebooted and found, that mount hangs during opening of /etc/mtab~<pid>
> (even in non-enforcing mode).
>
> If I remove that line from SELinux policy, systems boots up OK.
>
> Here are last lines from #strace mount / -o remount :
>
> === Cut ===
> open("/etc/mtab~202", O_WRONLY|O_CREAT|O_LARGEFILE, 0600audit(1085949484.378:0): avc: denied { write } for pid=202 exe=/bin/mount name=etc dev=hda5 ino=91 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:etc_t tclass=dir
> audit(1085949484.378:0): avc: denied { add_name } for pid=202 exe=/bin/mount name=etc dev=hda5 ino=91 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:etc_t tclass=dir
> audit(1085949484.378:0): avc: denied { create } for pid=202 exe=/bin/mount name=mtab~202 dev=hda5 ino=91 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:etc_t tclass=file
> === Cut ===
>
> Tell me, if I need to provide any additional info.

The mount process shouldn't be in kernel_t, although that shouldn't
cause a hang. Is /sbin/init labeled properly? Are you using the
patched /sbin/init that loads policy and then re-execs itself into the
proper security domain?

What output did you get from SELinux during initialization, particularly
for hda5?

When the mount process is hung, what output do you get from pressing
ALT-SysRq-t after enabling sysrq (echo 1 > /proc/sys/kernel/sysrq)?

Most likely location for a hang would be when post_create invokes
inode->i_op->setxattr to set the attribute on the newly created file.
Inode semaphore is taken around the call, as per other invocations of
inode->i_op->setxattr.

--
Stephen Smalley <sds@xxxxxxxxxxxxxx>
National Security Agency

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Arthur Perry: "Re: GART Error 11"
Previous message: Davide Libenzi: "Re: [RFC PATCH] explicitly mark recursion count"
In reply to: Dmitry Baryshkov: "2.6.7-rc2: open() hangs on ReiserFS with SELinux enabled"
Next in thread: Dmitry Baryshkov: "Re: 2.6.7-rc2: open() hangs on ReiserFS with SELinux enabled"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]