* 2.6.27-rc1 + selinux new options = no httpd
@ 2008-07-31 2:54 Gene Heskett
2008-07-31 3:36 ` Valdis.Kletnieks
2008-07-31 4:43 ` James Morris
0 siblings, 2 replies; 15+ messages in thread
From: Gene Heskett @ 2008-07-31 2:54 UTC (permalink / raw
To: linux-kernel
Greetings;
I just had to reboot backwards to 2.6.26 as I don't seem to be able to turn
off enough selinux stuff to allow apache (httpd) to run, on 2.6.27-rc1 it
cannot get perms to access its log files so it exits.
Is there a specific fix for this?
--
Cheers, Gene
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Heuristics are bug ridden by definition. If they didn't have bugs,
then they'd be algorithms.
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: 2.6.27-rc1 + selinux new options = no httpd
2008-07-31 2:54 2.6.27-rc1 + selinux new options = no httpd Gene Heskett
@ 2008-07-31 3:36 ` Valdis.Kletnieks
2008-07-31 4:43 ` James Morris
1 sibling, 0 replies; 15+ messages in thread
From: Valdis.Kletnieks @ 2008-07-31 3:36 UTC (permalink / raw
To: Gene Heskett; +Cc: linux-kernel
[-- Attachment #1: Type: text/plain, Size: 466 bytes --]
On Wed, 30 Jul 2008 22:54:25 EDT, Gene Heskett said:
> Greetings;
>
> I just had to reboot backwards to 2.6.26 as I don't seem to be able to turn
> off enough selinux stuff to allow apache (httpd) to run, on 2.6.27-rc1 it
> cannot get perms to access its log files so it exits.
Oddness indeed - booting with 'permissive' should at least let things work
so you can diagnose the problem.
Do you have any of the AVC messages that got generated when apache failed?
[-- Attachment #2: Type: application/pgp-signature, Size: 226 bytes --]
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: 2.6.27-rc1 + selinux new options = no httpd
2008-07-31 2:54 2.6.27-rc1 + selinux new options = no httpd Gene Heskett
2008-07-31 3:36 ` Valdis.Kletnieks
@ 2008-07-31 4:43 ` James Morris
2008-07-31 13:09 ` Gene Heskett
1 sibling, 1 reply; 15+ messages in thread
From: James Morris @ 2008-07-31 4:43 UTC (permalink / raw
To: Gene Heskett; +Cc: linux-kernel, Eric Paris, Stephen Smalley
On Wed, 30 Jul 2008, Gene Heskett wrote:
> Greetings;
>
> I just had to reboot backwards to 2.6.26 as I don't seem to be able to turn
> off enough selinux stuff to allow apache (httpd) to run, on 2.6.27-rc1 it
> cannot get perms to access its log files so it exits.
Which new options?
What AVC messages are you seeing?
Which distro are you using and what is the policy package version?
> Is there a specific fix for this?
This is the first I've heard of this.
- James
--
James Morris
<jmorris@namei.org>
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: 2.6.27-rc1 + selinux new options = no httpd
2008-07-31 4:43 ` James Morris
@ 2008-07-31 13:09 ` Gene Heskett
2008-07-31 14:44 ` Eric Paris
2008-07-31 20:02 ` James Morris
0 siblings, 2 replies; 15+ messages in thread
From: Gene Heskett @ 2008-07-31 13:09 UTC (permalink / raw
To: James Morris; +Cc: linux-kernel, Eric Paris, Stephen Smalley
On Thursday 31 July 2008, James Morris wrote:
>On Wed, 30 Jul 2008, Gene Heskett wrote:
>> Greetings;
>>
>> I just had to reboot backwards to 2.6.26 as I don't seem to be able to
>> turn off enough selinux stuff to allow apache (httpd) to run, on
>> 2.6.27-rc1 it cannot get perms to access its log files so it exits.
>
>Which new options?
Make xconfig-->security options:
XFRM Networking security hooks
and several others just below it. Unforch, I can't copy/paste the screen.
My next build will be with the above option turned off for grins & giggles.
However, I have about 16 bundles of shingles yet to sail up onto a roof & nail
down in the cooler parts of the day till I'm done. Taken last evening, I'm
on the right.
<http://gene.homelinux.net:85/gene/Garage-pix/p7300002.jpg>
>What AVC messages are you seeing?
I posted the whole screen from setroubleshoot earlier.
>Which distro are you using and what is the policy package version?
F8, selinux-policy-targeted-3.0.8-109.fc8
selinux-policy-3.0.8-109.fc8
policycoreutils-gui-2.0.33-3.fc8
checkpolicy-2.0.4-1.fc8
policycoreutils-2.0.33-3.fc8
selinux-policy-devel-3.0.8-109.fc8
System has been relabeled twice now, no change, and the setroubleshoot command
suggested doesn't fix it.
>> Is there a specific fix for this?
>
>This is the first I've heard of this.
>
Caught me out too. :)
>
>- James
Thanks James.
--
Cheers, Gene
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
"More software projects have gone awry for lack of calendar time than for all
other causes combined."
-- Fred Brooks, Jr., _The Mythical Man Month_
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: 2.6.27-rc1 + selinux new options = no httpd
2008-07-31 13:09 ` Gene Heskett
@ 2008-07-31 14:44 ` Eric Paris
2008-07-31 17:47 ` Stephen Smalley
2008-08-01 12:51 ` Stephen Smalley
2008-07-31 20:02 ` James Morris
1 sibling, 2 replies; 15+ messages in thread
From: Eric Paris @ 2008-07-31 14:44 UTC (permalink / raw
To: Gene Heskett; +Cc: James Morris, linux-kernel, Stephen Smalley
On Thu, 2008-07-31 at 09:09 -0400, Gene Heskett wrote:
> On Thursday 31 July 2008, James Morris wrote:
> >What AVC messages are you seeing?
>
> I posted the whole screen from setroubleshoot earlier.
I'm sorry but I can't seem to find it in your original message...
http://marc.info/?l=linux-kernel&m=121747333012971&w=2
Do you have another pointer? I can't think of anything that went into
2.6.27 related to SELinux that should have in any way changed file
access checks but I'll poke through the changelog and see if something
stands out...
-Eric
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: 2.6.27-rc1 + selinux new options = no httpd
2008-07-31 14:44 ` Eric Paris
@ 2008-07-31 17:47 ` Stephen Smalley
2008-08-01 18:52 ` Gene Heskett
2008-08-01 12:51 ` Stephen Smalley
1 sibling, 1 reply; 15+ messages in thread
From: Stephen Smalley @ 2008-07-31 17:47 UTC (permalink / raw
To: Eric Paris; +Cc: Gene Heskett, James Morris, linux-kernel, Alexander Viro
On Thu, 2008-07-31 at 10:44 -0400, Eric Paris wrote:
> On Thu, 2008-07-31 at 09:09 -0400, Gene Heskett wrote:
> > On Thursday 31 July 2008, James Morris wrote:
>
> > >What AVC messages are you seeing?
> >
> > I posted the whole screen from setroubleshoot earlier.
>
> I'm sorry but I can't seem to find it in your original message...
>
> http://marc.info/?l=linux-kernel&m=121747333012971&w=2
>
> Do you have another pointer? I can't think of anything that went into
> 2.6.27 related to SELinux that should have in any way changed file
> access checks but I'll poke through the changelog and see if something
> stands out...
I suspect it is the append bug introduced by the vfs changes, fixed by
http://marc.info/?l=linux-kernel&m=121726661110266&w=2
httpd would only be allowed append permission to its log file by policy.
--
Stephen Smalley
National Security Agency
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: 2.6.27-rc1 + selinux new options = no httpd
2008-07-31 13:09 ` Gene Heskett
2008-07-31 14:44 ` Eric Paris
@ 2008-07-31 20:02 ` James Morris
2008-07-31 22:17 ` 2.6.27-rc1: strange fstab issue (Re: 2.6.27-rc1 + selinux new options = no httpd) Rafael J. Wysocki
1 sibling, 1 reply; 15+ messages in thread
From: James Morris @ 2008-07-31 20:02 UTC (permalink / raw
To: Gene Heskett; +Cc: linux-kernel, Eric Paris, Stephen Smalley
On Thu, 31 Jul 2008, Gene Heskett wrote:
> >Which new options?
>
> Make xconfig-->security options:
>
> XFRM Networking security hooks
>
> and several others just below it. Unforch, I can't copy/paste the screen.
I can't really imagine what that is (although if you enable the secmark
controls under the main SELinux menu, which are disabled by default,
there could be problems).
Please post your .config.
- James
--
James Morris
<jmorris@namei.org>
^ permalink raw reply [flat|nested] 15+ messages in thread
* 2.6.27-rc1: strange fstab issue (Re: 2.6.27-rc1 + selinux new options = no httpd)
2008-07-31 20:02 ` James Morris
@ 2008-07-31 22:17 ` Rafael J. Wysocki
2008-08-01 13:39 ` Gene Heskett
0 siblings, 1 reply; 15+ messages in thread
From: Rafael J. Wysocki @ 2008-07-31 22:17 UTC (permalink / raw
To: James Morris; +Cc: Gene Heskett, linux-kernel, Eric Paris, Stephen Smalley
On Thursday, 31 of July 2008, James Morris wrote:
> On Thu, 31 Jul 2008, Gene Heskett wrote:
>
> > >Which new options?
> >
> > Make xconfig-->security options:
> >
> > XFRM Networking security hooks
> >
> > and several others just below it. Unforch, I can't copy/paste the screen.
>
> I can't really imagine what that is (although if you enable the secmark
> controls under the main SELinux menu, which are disabled by default,
> there could be problems).
On a possibly related note, I've been observing a strange issue on one of
my test boxes with OpenSUSE 10.3 recently. Namely, the fsck complains
that there's no passno value in the fstab, although it obviously is present.
Strangely enough, if the kernel is compiled with CONFIG_SECURITY_SELINUX unset,
the fsck doesn't complain about the missing passno field any more.
Thanks,
Rafael
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: 2.6.27-rc1 + selinux new options = no httpd
2008-07-31 14:44 ` Eric Paris
2008-07-31 17:47 ` Stephen Smalley
@ 2008-08-01 12:51 ` Stephen Smalley
2008-08-01 14:47 ` Al Viro
1 sibling, 1 reply; 15+ messages in thread
From: Stephen Smalley @ 2008-08-01 12:51 UTC (permalink / raw
To: Eric Paris; +Cc: Gene Heskett, James Morris, linux-kernel, Alexander Viro
On Thu, 2008-07-31 at 10:44 -0400, Eric Paris wrote:
> On Thu, 2008-07-31 at 09:09 -0400, Gene Heskett wrote:
> > On Thursday 31 July 2008, James Morris wrote:
>
> > >What AVC messages are you seeing?
> >
> > I posted the whole screen from setroubleshoot earlier.
>
> I'm sorry but I can't seem to find it in your original message...
>
> http://marc.info/?l=linux-kernel&m=121747333012971&w=2
>
> Do you have another pointer? I can't think of anything that went into
> 2.6.27 related to SELinux that should have in any way changed file
> access checks but I'll poke through the changelog and see if something
> stands out...
It could be the append bug introduced by the vfs changes.
See:
http://marc.info/?l=linux-kernel&m=121726661110266&w=2
That would break any case where only append permission is granted (not
full write access), as would be typical for httpd log files.
--
Stephen Smalley
National Security Agency
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: 2.6.27-rc1: strange fstab issue (Re: 2.6.27-rc1 + selinux new options = no httpd)
2008-07-31 22:17 ` 2.6.27-rc1: strange fstab issue (Re: 2.6.27-rc1 + selinux new options = no httpd) Rafael J. Wysocki
@ 2008-08-01 13:39 ` Gene Heskett
2008-08-01 13:47 ` Eric Paris
0 siblings, 1 reply; 15+ messages in thread
From: Gene Heskett @ 2008-08-01 13:39 UTC (permalink / raw
To: Rafael J. Wysocki; +Cc: James Morris, linux-kernel, Eric Paris, Stephen Smalley
On Thursday 31 July 2008, Rafael J. Wysocki wrote:
Update by Gene below.
>On Thursday, 31 of July 2008, James Morris wrote:
>> On Thu, 31 Jul 2008, Gene Heskett wrote:
>> > >Which new options?
>> >
>> > Make xconfig-->security options:
>> >
>> > XFRM Networking security hooks
>> >
>> > and several others just below it. Unforch, I can't copy/paste the
>> > screen.
>>
>> I can't really imagine what that is (although if you enable the secmark
>> controls under the main SELinux menu, which are disabled by default,
>> there could be problems).
>
>On a possibly related note, I've been observing a strange issue on one of
>my test boxes with OpenSUSE 10.3 recently. Namely, the fsck complains
>that there's no passno value in the fstab, although it obviously is present.
>
>Strangely enough, if the kernel is compiled with CONFIG_SECURITY_SELINUX
> unset, the fsck doesn't complain about the missing passno field any more.
>
>Thanks,
>Rafael
I just did a 2.6.27-rc1 rebuild on a pure, all defaults 'make oldconfig' from
my 2.6.26 final .config moved to that src tree.
httpd is still being denied access to its log files and dies during the bootup.
This is a showstopper for me.
>From the log:
Aug 1 09:12:13 coyote setroubleshoot: SELinux prevented httpd reading and writing access to http files. For complete
SELinux messages. run sealert -l ecd4e1d6-59fa-47ff-830d-3fb7d9114805
>From the output of that report:
The following command will allow this access:
setsebool -P httpd_unified=1
(Gene: but it is not effective)
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:object_r:httpd_log_t:s0
Target Objects ./error_log [ file ]
Source httpd
Source Path /usr/sbin/httpd
Port <Unknown>
Host coyote.coyote.den
Source RPM Packages httpd-2.2.8-1.fc8
Target RPM Packages
Policy RPM selinux-policy-3.0.8-109.fc8
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name httpd_unified
Host Name coyote.coyote.den
Platform Linux coyote.coyote.den 2.6.27-rc1 #2 PREEMPT Wed
Jul 30 19:05:14 EDT 2008 i686 athlon
Alert Count 11
First Seen Tue Jul 29 15:51:41 2008
There is more but you've seen it previously I believe.
Thanks for any help/solution.
--
Cheers, Gene
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Advertising may be described as the science of arresting the human
intelligence long enough to get money from it.
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: 2.6.27-rc1: strange fstab issue (Re: 2.6.27-rc1 + selinux new options = no httpd)
2008-08-01 13:39 ` Gene Heskett
@ 2008-08-01 13:47 ` Eric Paris
2008-08-01 14:02 ` Al Viro
2008-08-01 14:13 ` Gene Heskett
0 siblings, 2 replies; 15+ messages in thread
From: Eric Paris @ 2008-08-01 13:47 UTC (permalink / raw
To: Gene Heskett
Cc: Rafael J. Wysocki, James Morris, linux-kernel, Stephen Smalley,
aviro
On Fri, 2008-08-01 at 09:39 -0400, Gene Heskett wrote:
> On Thursday 31 July 2008, Rafael J. Wysocki wrote:
> Update by Gene below.
> >On Thursday, 31 of July 2008, James Morris wrote:
> >> On Thu, 31 Jul 2008, Gene Heskett wrote:
> >> > >Which new options?
> >> >
> >> > Make xconfig-->security options:
> >> >
> >> > XFRM Networking security hooks
> >> >
> >> > and several others just below it. Unforch, I can't copy/paste the
> >> > screen.
> >>
> >> I can't really imagine what that is (although if you enable the secmark
> >> controls under the main SELinux menu, which are disabled by default,
> >> there could be problems).
> >
> >On a possibly related note, I've been observing a strange issue on one of
> >my test boxes with OpenSUSE 10.3 recently. Namely, the fsck complains
> >that there's no passno value in the fstab, although it obviously is present.
> >
> >Strangely enough, if the kernel is compiled with CONFIG_SECURITY_SELINUX
> > unset, the fsck doesn't complain about the missing passno field any more.
> >
> >Thanks,
> >Rafael
>
> I just did a 2.6.27-rc1 rebuild on a pure, all defaults 'make oldconfig' from
> my 2.6.26 final .config moved to that src tree.
>
> httpd is still being denied access to its log files and dies during the bootup.
>
> This is a showstopper for me.
Stephen Smalley just sent me a private note. Apparently he is having
e-mail trouble but he did point out the most likely problem. Can you
add the patch from
http://marc.info/?l=linux-kernel&m=121726661110266&w=2
And give it a whirl? Sorry, but we think the problem is that the VFS
stopped passing all of the relevant information down to the security
system. https is only allowed to append to its log files, not actually
'write.' Since the VFS is longer differentiating those two operations
you are getting then denial for write.
I'll try to get this pushed into linus's tree quickly.
-Eric
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: 2.6.27-rc1: strange fstab issue (Re: 2.6.27-rc1 + selinux new options = no httpd)
2008-08-01 13:47 ` Eric Paris
@ 2008-08-01 14:02 ` Al Viro
2008-08-01 14:13 ` Gene Heskett
1 sibling, 0 replies; 15+ messages in thread
From: Al Viro @ 2008-08-01 14:02 UTC (permalink / raw
To: Eric Paris
Cc: Gene Heskett, Rafael J. Wysocki, James Morris, linux-kernel,
Stephen Smalley, aviro
On Fri, Aug 01, 2008 at 09:47:59AM -0400, Eric Paris wrote:
> On Fri, 2008-08-01 at 09:39 -0400, Gene Heskett wrote:
> > On Thursday 31 July 2008, Rafael J. Wysocki wrote:
> > Update by Gene below.
> > >On Thursday, 31 of July 2008, James Morris wrote:
> > >> On Thu, 31 Jul 2008, Gene Heskett wrote:
> > >> > >Which new options?
> > >> >
> > >> > Make xconfig-->security options:
> > >> >
> > >> > XFRM Networking security hooks
> > >> >
> > >> > and several others just below it. Unforch, I can't copy/paste the
> > >> > screen.
> > >>
> > >> I can't really imagine what that is (although if you enable the secmark
> > >> controls under the main SELinux menu, which are disabled by default,
> > >> there could be problems).
> > >
> > >On a possibly related note, I've been observing a strange issue on one of
> > >my test boxes with OpenSUSE 10.3 recently. Namely, the fsck complains
> > >that there's no passno value in the fstab, although it obviously is present.
> > >
> > >Strangely enough, if the kernel is compiled with CONFIG_SECURITY_SELINUX
> > > unset, the fsck doesn't complain about the missing passno field any more.
> > >
> > >Thanks,
> > >Rafael
> >
> > I just did a 2.6.27-rc1 rebuild on a pure, all defaults 'make oldconfig' from
> > my 2.6.26 final .config moved to that src tree.
> >
> > httpd is still being denied access to its log files and dies during the bootup.
> >
> > This is a showstopper for me.
>
> Stephen Smalley just sent me a private note. Apparently he is having
> e-mail trouble but he did point out the most likely problem. Can you
> add the patch from
>
> http://marc.info/?l=linux-kernel&m=121726661110266&w=2
>
> And give it a whirl? Sorry, but we think the problem is that the VFS
> stopped passing all of the relevant information down to the security
> system. https is only allowed to append to its log files, not actually
> 'write.' Since the VFS is longer differentiating those two operations
> you are getting then denial for write.
>
> I'll try to get this pushed into linus's tree quickly.
It's in linux-next, BTW. I'll push the next set to Linus in an hour or so.
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: 2.6.27-rc1: strange fstab issue (Re: 2.6.27-rc1 + selinux new options = no httpd)
2008-08-01 13:47 ` Eric Paris
2008-08-01 14:02 ` Al Viro
@ 2008-08-01 14:13 ` Gene Heskett
1 sibling, 0 replies; 15+ messages in thread
From: Gene Heskett @ 2008-08-01 14:13 UTC (permalink / raw
To: Eric Paris
Cc: Rafael J. Wysocki, James Morris, linux-kernel, Stephen Smalley,
aviro
On Friday 01 August 2008, Eric Paris wrote:
>On Fri, 2008-08-01 at 09:39 -0400, Gene Heskett wrote:
>> On Thursday 31 July 2008, Rafael J. Wysocki wrote:
>> Update by Gene below.
>>
>> >On Thursday, 31 of July 2008, James Morris wrote:
>> >> On Thu, 31 Jul 2008, Gene Heskett wrote:
>> >> > >Which new options?
>> >> >
>> >> > Make xconfig-->security options:
>> >> >
>> >> > XFRM Networking security hooks
>> >> >
>> >> > and several others just below it. Unforch, I can't copy/paste the
>> >> > screen.
>> >>
>> >> I can't really imagine what that is (although if you enable the secmark
>> >> controls under the main SELinux menu, which are disabled by default,
>> >> there could be problems).
>> >
>> >On a possibly related note, I've been observing a strange issue on one of
>> >my test boxes with OpenSUSE 10.3 recently. Namely, the fsck complains
>> >that there's no passno value in the fstab, although it obviously is
>> > present.
>> >
>> >Strangely enough, if the kernel is compiled with CONFIG_SECURITY_SELINUX
>> > unset, the fsck doesn't complain about the missing passno field any
>> > more.
>> >
>> >Thanks,
>> >Rafael
>>
>> I just did a 2.6.27-rc1 rebuild on a pure, all defaults 'make oldconfig'
>> from my 2.6.26 final .config moved to that src tree.
>>
>> httpd is still being denied access to its log files and dies during the
>> bootup.
>>
>> This is a showstopper for me.
>
>Stephen Smalley just sent me a private note. Apparently he is having
>e-mail trouble but he did point out the most likely problem. Can you
>add the patch from
>
>http://marc.info/?l=linux-kernel&m=121726661110266&w=2
Bingo!
The first version there was off about 10 line numbers so I just added the "|
MAY_APPEND", as the second version shows and that was it. Thanks.
>And give it a whirl? Sorry, but we think the problem is that the VFS
>stopped passing all of the relevant information down to the security
>system. https is only allowed to append to its log files, not actually
>'write.' Since the VFS is longer differentiating those two operations
>you are getting then denial for write.
>
>I'll try to get this pushed into linus's tree quickly.
Looks like its a good to go fix from this angle. Thanks Eric.
You could even put a tested by: Gene Heskett in it I suppose. :)
>-Eric
--
Cheers, Gene
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Fashion is a form of ugliness so intolerable that we have to alter it
every six months.
-- Oscar Wilde
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: 2.6.27-rc1 + selinux new options = no httpd
2008-08-01 12:51 ` Stephen Smalley
@ 2008-08-01 14:47 ` Al Viro
0 siblings, 0 replies; 15+ messages in thread
From: Al Viro @ 2008-08-01 14:47 UTC (permalink / raw
To: Stephen Smalley; +Cc: Eric Paris, Gene Heskett, James Morris, linux-kernel
On Fri, Aug 01, 2008 at 08:51:08AM -0400, Stephen Smalley wrote:
>
> On Thu, 2008-07-31 at 10:44 -0400, Eric Paris wrote:
> > On Thu, 2008-07-31 at 09:09 -0400, Gene Heskett wrote:
> > > On Thursday 31 July 2008, James Morris wrote:
> >
> > > >What AVC messages are you seeing?
> > >
> > > I posted the whole screen from setroubleshoot earlier.
> >
> > I'm sorry but I can't seem to find it in your original message...
> >
> > http://marc.info/?l=linux-kernel&m=121747333012971&w=2
> >
> > Do you have another pointer? I can't think of anything that went into
> > 2.6.27 related to SELinux that should have in any way changed file
> > access checks but I'll poke through the changelog and see if something
> > stands out...
>
> It could be the append bug introduced by the vfs changes.
> See:
> http://marc.info/?l=linux-kernel&m=121726661110266&w=2
>
> That would break any case where only append permission is granted (not
> full write access), as would be typical for httpd log files.
commit d54bb7a971b41b8a4baba6e3d9adf14ce035947f
Author: Stephen Smalley <sds@tycho.nsa.gov>
Date: Mon Jul 28 13:32:38 2008 -0400
Re: BUG at security/selinux/avc.c:883 (was: Re: linux-next: Tree
for July 17: early crash on x86-64)
in vfs-2.6.git/for-next (and for-linus as well)
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: 2.6.27-rc1 + selinux new options = no httpd
2008-07-31 17:47 ` Stephen Smalley
@ 2008-08-01 18:52 ` Gene Heskett
0 siblings, 0 replies; 15+ messages in thread
From: Gene Heskett @ 2008-08-01 18:52 UTC (permalink / raw
To: Stephen Smalley; +Cc: Eric Paris, James Morris, linux-kernel, Alexander Viro
On Thursday 31 July 2008, Stephen Smalley wrote:
>On Thu, 2008-07-31 at 10:44 -0400, Eric Paris wrote:
>> On Thu, 2008-07-31 at 09:09 -0400, Gene Heskett wrote:
>> > On Thursday 31 July 2008, James Morris wrote:
>> > >What AVC messages are you seeing?
>> >
>> > I posted the whole screen from setroubleshoot earlier.
>>
>> I'm sorry but I can't seem to find it in your original message...
>>
>> http://marc.info/?l=linux-kernel&m=121747333012971&w=2
>>
>> Do you have another pointer? I can't think of anything that went into
>> 2.6.27 related to SELinux that should have in any way changed file
>> access checks but I'll poke through the changelog and see if something
>> stands out...
>
>I suspect it is the append bug introduced by the vfs changes, fixed by
>http://marc.info/?l=linux-kernel&m=121726661110266&w=2
>
>httpd would only be allowed append permission to its log file by policy.
This fixed it right up a few hours ago, Steven. Thanks.
--
Cheers, Gene
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Keep the phase, baby.
^ permalink raw reply [flat|nested] 15+ messages in thread
end of thread, other threads:[~2008-08-01 18:59 UTC | newest]
Thread overview: 15+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-07-31 2:54 2.6.27-rc1 + selinux new options = no httpd Gene Heskett
2008-07-31 3:36 ` Valdis.Kletnieks
2008-07-31 4:43 ` James Morris
2008-07-31 13:09 ` Gene Heskett
2008-07-31 14:44 ` Eric Paris
2008-07-31 17:47 ` Stephen Smalley
2008-08-01 18:52 ` Gene Heskett
2008-08-01 12:51 ` Stephen Smalley
2008-08-01 14:47 ` Al Viro
2008-07-31 20:02 ` James Morris
2008-07-31 22:17 ` 2.6.27-rc1: strange fstab issue (Re: 2.6.27-rc1 + selinux new options = no httpd) Rafael J. Wysocki
2008-08-01 13:39 ` Gene Heskett
2008-08-01 13:47 ` Eric Paris
2008-08-01 14:02 ` Al Viro
2008-08-01 14:13 ` Gene Heskett
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).