Hello,
I'd like to request a backport of the patch below, currently merged upstream and targeted for 3.15. The patch fixes a number of problems relating to SELinux and systemd-sysctl which are starting to appear for F20 in the RH bugzilla. One such example can be seen here:
* https://bugzilla.redhat.com/show_bug.cgi?id=1084829
If there is anything I can do to help get this patch into Fedora let me know.
Thanks, -Paul
commit f64410ec665479d7b4b77b7519e814253ed0f686 Author: Paul Moore pmoore@redhat.com Date: Wed Mar 19 16:46:18 2014 -0400
selinux: correctly label /proc inodes in use before the policy is loaded
This patch is based on an earlier patch by Eric Paris, he describes the problem below:
"If an inode is accessed before policy load it will get placed on a list of inodes to be initialized after policy load. After policy load we call inode_doinit() which calls inode_doinit_with_dentry() on all inodes accessed before policy load. In the case of inodes in procfs that means we'll end up at the bottom where it does:
/* Default to the fs superblock SID. */ isec->sid = sbsec->sid;
if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) { if (opt_dentry) { isec->sclass = inode_mode_to_security_class(...) rc = selinux_proc_get_sid(opt_dentry, isec->sclass, &sid); if (rc) goto out_unlock; isec->sid = sid; } }
Since opt_dentry is null, we'll never call selinux_proc_get_sid() and will leave the inode labeled with the label on the superblock. I believe a fix would be to mimic the behavior of xattrs. Look for an alias of the inode. If it can't be found, just leave the inode uninitialized (and pick it up later) if it can be found, we should be able to call selinux_proc_get_sid() ..."
On a system exhibiting this problem, you will notice a lot of files in /proc with the generic "proc_t" type (at least the ones that were accessed early in the boot), for example:
# ls -Z /proc/sys/kernel/shmmax | awk '{ print $4 " " $5 }' system_u:object_r:proc_t:s0 /proc/sys/kernel/shmmax
However, with this patch in place we see the expected result:
# ls -Z /proc/sys/kernel/shmmax | awk '{ print $4 " " $5 }' system_u:object_r:sysctl_kernel_t:s0 /proc/sys/kernel/shmmax
Cc: Eric Paris eparis@redhat.com Signed-off-by: Paul Moore pmoore@redhat.com Acked-by: Eric Paris eparis@redhat.com
security/selinux/hooks.c | 36 ++++++++++++++++++++++++++-------- 1 file changed, 27 insertions(+), 9 deletions(-)
On Tue, Apr 8, 2014 at 4:41 PM, Paul Moore pmoore@redhat.com wrote:
Hello,
I'd like to request a backport of the patch below, currently merged upstream and targeted for 3.15. The patch fixes a number of problems relating to SELinux and systemd-sysctl which are starting to appear for F20 in the RH bugzilla. One such example can be seen here:
If there is anything I can do to help get this patch into Fedora let me know.
Did you send this to the upstream stable maintainers?
We can pick it up ourselves without too much issue, but it would benefit everyone if it was CC'd to stable.
josh
On Tuesday, April 08, 2014 05:13:47 PM Josh Boyer wrote:
On Tue, Apr 8, 2014 at 4:41 PM, Paul Moore pmoore@redhat.com wrote:
Hello,
I'd like to request a backport of the patch below, currently merged upstream and targeted for 3.15. The patch fixes a number of problems relating to SELinux and systemd-sysctl which are starting to appear for F20 in the RH> bugzilla. One such example can be seen here:
If there is anything I can do to help get this patch into Fedora let me know.
Did you send this to the upstream stable maintainers?
We can pick it up ourselves without too much issue, but it would benefit everyone if it was CC'd to stable.
I probably should have tagged the patch for stable, but for some reason didn't. I just passed it along to the stable folks, so with some luck it should arrive in the next set of stable kernels.
Regardless, thanks for pulling the patch into the Fedora kernel, hopefully you'll be able to drop it soon.
-Paul
kernel@lists.fedoraproject.org