364879 – SELinux load policy fails with sys-kernel/gentoo-sources-2.6.38

Bug 364879 - SELinux load policy fails with sys-kernel/gentoo-sources-2.6.38

Summary: SELinux load policy fails with sys-kernel/gentoo-sources-2.6.38

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	[OLD] Core system (show other bugs)
Hardware:	All Linux

Importance:	Normal major
Assignee:	SE Linux Bugs

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2011-04-26 00:34 UTC by Chris Richards
Modified:	2011-05-13 16:50 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Patch to fix SELinux in 2.6.38 kernel, file 1 (patch1.diff,3.73 KB, patch) 2011-04-26 00:35 UTC, Chris Richards	Details \| Diff
Patch to fix SELinux in 2.6.38 kernel, file 2 (patch2.diff,875 bytes, patch) 2011-04-26 00:36 UTC, Chris Richards	Details \| Diff
Patch to fix SELinux in 2.6.38 kernel, file 3 (patch3.diff,2.75 KB, patch) 2011-04-26 00:36 UTC, Chris Richards	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Chris Richards 2011-04-26 00:34:30 UTC

When booting a system using the 2.6.38 kernel with SELinux enabled, SELinux fails to load policy with error "Could not load policy file /etc/selinux/strict/policy/policy.24: No space left on device" (note that depending on policy type, it could be strict or targeted).  SELinux is completely disabled when starting in permissive mode, and stops the kernel from booting in enforcing mode.  When running in permissive mode, running sestatus command shows that selinux is disabled, regardless of settings on kernel command-line or in /etc/selinux/config file.  /proc/mounts shows that selinuxfs is indeed mounted at /selinux.

This appears to affect only the 2.6.38 kernel, earlier kernels do not exhibit this behavior.  Although this was first discovered on the hardened 2.6.38 kernel, it also appears on the vanilla kernel.

Reproducible: Always

Steps to Reproduce:
1.  Build a working SELinux system using 2.6.37 or earlier kernels from either hardened or vanilla tree
2.  Emerge 2.6.38 kernel, using either hardened or vanilla sources.
3.  Observe error during startup indicating 'No space left on device' while loading policy
4.  Use sestatus tool to verify that selinux is disabled.
Actual Results:  
SELinux is disabled

Expected Results:  
SELinux should be enabled and operating according to configuration file or kernel command-line parameters

Working with Eric Paris in #selinux to resolve issue resulted in the attached patches from Eric, which appear to resolve the issue.

Comment 1 Chris Richards 2011-04-26 00:35:42 UTC

Created attachment 271181 [details, diff]
Patch to fix SELinux in 2.6.38 kernel, file 1

Comment 2 Chris Richards 2011-04-26 00:36:14 UTC

Created attachment 271183 [details, diff]
Patch to fix SELinux in 2.6.38 kernel, file 2

Comment 3 Chris Richards 2011-04-26 00:36:42 UTC

Created attachment 271185 [details, diff]
Patch to fix SELinux in 2.6.38 kernel, file 3

Comment 4 Chris Richards 2011-04-26 00:37:15 UTC

According to Eric, patch 3 is probably not required, and my testing confirms that things appear to work just fine with only the first 2 patches.

Comment 5 Anthony Basile gentoo-dev

2011-04-26 00:40:38 UTC

With hardened-sources-2.6.38-r1 I had a different issue.  There selinuxfs didn't even mount.  It may be the same bug which manifests itself differently with the grsec/pax patches, but I'm not sure.  I'm going to test the above patches and report back.

Comment 6 Chris Richards 2011-04-26 02:41:07 UTC

Eric says that selinuxfs not mounting is almost certainly a completely different issue.

Comment 7 Chris PeBenito (RETIRED) gentoo-dev

2011-05-13 16:50:36 UTC

This is fixed in -r5, since it has 2.6.38.6, which has the above patches.