Bug 11500 - /proc/net bug related to selinux
Summary: /proc/net bug related to selinux
Status: CLOSED CODE_FIX
Alias: None
Product: File System
Classification: Unclassified
Component: VFS (show other bugs)
Hardware: All Linux
: P1 normal
Assignee: fs_vfs
URL:
Keywords:
Depends on:
Blocks: 10492
  Show dependency tree
 
Reported: 2008-09-04 14:42 UTC by Rafael J. Wysocki
Modified: 2010-09-02 20:00 UTC (History)
3 users (show)

See Also:
Kernel Version: commit fbb16e243887332dd5754e48ffe5b963378f3cd2
Subsystem:
Regression: Yes
Bisected commit-id:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Rafael J. Wysocki 2008-09-04 14:42:28 UTC 
Subject    : linux-next: Tree for September 3
Submitter  : Andrew Morton <akpm@linux-foundation.org>
Date       : 2008-09-04 17:45
References : http://marc.info/?l=linux-kernel&m=122055041313270&w=4

This entry is being used for tracking a regression from 2.6.26.  Please don't
close it until the problem is fixed in the mainline.
Comment 1 Stephen Smalley 2008-09-08 05:57:30 UTC 
Output of:
# /sbin/ausearch -m AVC -sv no
would be of interest.
Comment 2 Rafael J. Wysocki 2008-09-14 17:12:50 UTC 
On Saturday, 13 of September 2008, Andrew Morton wrote:
> On Sat, 13 Sep 2008 10:15:43 +1000 (EST) James Morris <jmorris@namei.org>
> wrote:
> 
> > On Fri, 12 Sep 2008, Andrew Morton wrote:
> > 
> > > > > Bug-Entry     : http://bugzilla.kernel.org/show_bug.cgi?id=11500
> > > > > Subject               : /proc/net bug related to selinux
> > > > > Submitter     : Andrew Morton <akpm@linux-foundation.org>
> > > > > Date          : 2008-09-04 17:45 (9 days old)
> > > > > References    :
> http://marc.info/?l=linux-kernel&m=122055041313270&w=4
> > > > 
> > > > I think this might be a regression caused by namespace changes which we 
> > 
> > By which I mean, this was caused by a non-SELinux change to the upstream 
> > kernel many, many eons ago.
> 
> hm, seems that 2.6.24 is OK but 2.6.25 is not.  I must have missed the
> bug when testing 2.6.25-based kernels.
> 
> I started a git bisection search but after half an hour I hit bad
> bisection breakage: a complete machine hang in fib_rules_init().
Comment 3 Florian Mickler 2010-08-16 13:00:46 UTC 
In http://marc.info/?l=linux-kernel&m=122056291403378&w=4 it seems to be resolved as a wont-fix:

| Andrew Morton <akpm@linux-foundation.org> writes:
| 
| > On Thu, 04 Sep 2008 13:31:01 -0700
| > ebiederm@xmission.com (Eric W. Biederman) wrote:
| >
| >> >> are you sure it's a plain tree of mine, without any of the patches 
| >> >> floating around between Eric/Al?
| >> >
| >> > yup, it's yesterday's mainline.
| >> 
| >> Does the problem happen if you disable selinux?
| >> 
| >> This feels like a case of selinux being over zealous.
| >
| > yeah, adding `selinux=0' to the boot command line fixes it.
| 
| The proc generic directory back structure is the same.  As requested by
| the selinux folks.  So I don't expect there is much more we can do on
| the /proc side.
| 
| When we get the interaction bug between the VFS and /proc/net fixed I wonder
| if there will be some more selinux fall out.  Something to think about.
| 
| Eric

So this should be closed, probably...
Comment 4 Florian Mickler 2010-08-18 11:24:14 UTC 
Ah, reading up on some discussion about this regression I found this patch to fix symlink-issues with selinux in /proc which got merged for 2.6.28:

|
| commit ea6b184f7d521a503ecab71feca6e4057562252b
| Author: Stephen Smalley <sds@tycho.nsa.gov>
| Date:   Mon Sep 22 15:41:19 2008 -0400
| 
|   selinux: use default proc sid on symlinks
|
Note You need to log in before you can comment on or make changes to this bug.