Recently just tried to install Gentoo hardened server with SELinux. Using latest release of hardened stage3 and hardened sources. After finishing the install, consistently get a crash dealing with avc.c:888. If I remove my networking cards either physically or in the kernel config, the kernel boots normally. Reproducible: Always Steps to Reproduce: 1. Install current Hardened sources/stage3 with networking card(s) and enable SELinux. 2. Reboot 3. Observe crash Actual Results: Kernel crashes with the following: [ 13.799123] ------------[ cut here ]------------ [ 13.800022] kernel BUG at security/selinux/avc.c:888! [ 13.800022] invalid opcode: 0000 [#1] [ 13.800022] last sysfs file: /sys/devices/pci0000:00/0000:00:11.1/ide0/0.0/bl ock/hda/uevent [ 13.800022] Modules linked in: [ 13.800022] [ 13.800022] Pid: 2502, comm: runscript.sh Not tainted (2.6.28-hardened-r9 #7) Cyberpower Computer [ 13.800022] EIP: 0060:[<c0b1caeb>] EFLAGS: 00010246 CPU: 0 [ 13.800022] EAX: 00000001 EBX: 00000011 ECX: 00000011 EDX: 00000009 [ 13.800022] ESI: 00000011 EDI: df287cb8 EBP: df287c9c ESP: df287c50 [ 13.800022] DS: 0068 ES: 0068 FS: 0000 GS: 0033 SS: 0068 [ 13.800022] Process runscript.sh (pid: 2502, ti=df286000 task=df8904f0 task.t i=df286000) [ 13.800022] Stack: [ 13.800022] 00110000 00000009 00000001 0000000c 00000001 00000246 df287d80 d f8904f0 [ 13.800022] df287d1c df287d2c ffffffff ffffffff 00000012 00000000 df287cb8 d f287cd8 [ 13.800022] 00000011 00000011 df287cb8 df287cd8 c0b1d487 00000000 00000000 d f287cb8 [ 13.800022] Call Trace: [ 13.800022] [<c0b1d487>] ? 0xc0b1d487 [ 13.800022] [<c0a1f7d0>] ? 0xc0a1f7d0 [ 13.800022] [<c0b24f70>] ? 0xc0b24f70 [ 13.800022] [<c0b2030f>] ? 0xc0b2030f [ 13.800022] [<c0cf0873>] ? 0xc0cf0873 [ 13.800022] [<c0a1f70a>] ? 0xc0a1f70a [ 13.800022] [<c0b20361>] ? 0xc0b20361 [ 13.800022] [<c0c7c60b>] ? 0xc0c7c60b [ 13.800022] [<c0ccf3b5>] ? 0xc0ccf3b5 [ 13.800022] [<c0c7c71e>] ? 0xc0c7c71e [ 13.800022] [<c0ccf3b5>] ? 0xc0ccf3b5 [ 13.800022] [<c0cd0e82>] ? 0xc0cd0e82 [ 13.800022] [<c0ccf3b5>] ? 0xc0ccf3b5 [ 13.800022] [<c0cd174a>] ? 0xc0cd174a [ 13.800022] [<c0c7c60b>] ? 0xc0c7c60b [ 13.800022] [<c0ce17f4>] ? 0xc0ce17f4 [ 13.800022] [<c0c7c71e>] ? 0xc0c7c71e [ 13.800022] [<c0ce17f4>] ? 0xc0ce17f4 [ 13.800022] [<c0ce2900>] ? 0xc0ce2900 [ 13.800022] [<c0ce307e>] ? 0xc0ce307e [ 13.800022] [<c0ce3363>] ? 0xc0ce3363 [ 13.800022] [<c0a317cf>] ? 0xc0a317cf [ 13.800022] [<c0a22406>] ? 0xc0a22406 [ 13.800022] [<c0ce31a9>] ? 0xc0ce31a9 [ 13.800022] [<c0ce31a9>] ? 0xc0ce31a9 [ 13.800022] [<c0a1f5be>] ? 0xc0a1f5be [ 13.800022] [<c0a1f65f>] ? 0xc0a1f65f [ 13.800022] [<c0a1f71d>] ? 0xc0a1f71d [ 13.800022] [<c0a05eba>] ? 0xc0a05eba [ 13.800022] [<c0a04c23>] ? 0xc0a04c23 [ 13.800022] Code: eb 09 89 d8 e8 43 a1 03 00 89 c3 89 d8 5b 5e 5f 5d c3 55 89 e5 57 56 53 83 ec 40 83 7d 08 00 89 45 bc 89 55 b8 66 89 4d b6 75 04 <0f> 0b eb fe 8b 7d b8 0f b7 4d b6 ff 05 8c 93 e8 c0 c1 e7 02 33 [ 13.800022] EIP: [<c0b1caeb>] SS:ESP 0068:df287c50 [ 14.032204] Kernel panic - not syncing: Fatal exception in interrupt Expected Results: Kernel should boot normally emerge --info: Portage 2.1.6.13 (selinux/v2refpolicy/x86/server, gcc-4.3.4, glibc-2.9_p20081201-r2, 2.6.28-hardened-r9 i686) ================================================================= System uname: Linux-2.6.28-hardened-r9-i686-AMD_Athlon-tm-_XP_1700+-with-gentoo-1.12.11.1 Timestamp of tree: Wed, 04 Nov 2009 23:15:01 +0000 app-shells/bash: 4.0_p28 dev-lang/python: 2.6.2-r1 sys-apps/baselayout: 1.12.11.1 sys-apps/sandbox: 1.6-r2 sys-devel/autoconf: 2.63-r1 sys-devel/automake: 1.10.2 sys-devel/binutils: 2.18-r3 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 2.2.6a virtual/os-headers: 2.6.27-r2 ACCEPT_KEYWORDS="x86" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=athlon-xp -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf /etc/sandbox.d /etc/terminfo /etc/udev/rules.d" CXXFLAGS="-O2 -march=athlon-xp -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="distlocks fixpackages loadpolicy parallel-fetch protect-owned sandbox selinux sesandbox sfperms strict unmerge-orphans userfetch" GENTOO_MIRRORS="http://osmirrors.cerias.purdue.edu/pub/gentoo/ ftp://ftp.lug.udel.edu/pub/gentoo/ http://www.gtlib.gatech.edu/pub/gentoo ftp://gentoo.netnitco.net/pub/mirrors/gentoo/source/ ftp://mirror.iawnet.sandia.gov/pub/gentoo/ http://gentoo.cites.uiuc.edu/pub/gentoo/ http://mirror.usu.edu/mirrors/gentoo/ ftp://gentoo.chem.wisc.edu/gentoo/ ftp://mirrors.rit.edu/gentoo/ http://www.cyberuse.com/gentoo/ http://mirror.datapipe.net/gentoo http://mirrors.rit.edu/gentoo/ http://mirror.mcs.anl.gov/pub/gentoo/ http://lug.mtu.edu/gentoo/ ftp://lug.mtu.edu/gentoo/ http://gentoo.chem.wisc.edu/gentoo/ ftp://ftp.ucsb.edu/pub/mirrors/linux/gentoo/ http://gentoo.netnitco.net ftp://mirror.mcs.anl.gov/pub/gentoo/ ftp://chi-10g-1-mirror.fastsoft.net/pub/linux/gentoo/gentoo-distfiles/ ftp://ftp.gtlib.gatech.edu/pub/gentoo " LDFLAGS="-Wl,-O1" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.namerica.gentoo.org/gentoo-portage" USE="apache2 berkdb crypt hardened mmx ncurses pam perl pic python readline selinux snmp ssl tcpd x86 xml" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="fbdev glint intel mach64 mga neomagic nv r128 radeon savage sis tdfx trident vesa vga via vmware voodoo" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG, LC_ALL, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
Created attachment 209360 [details] kernel config kernel config
I can confirm this bug, but it seems adding AVC-Statistics Support at least solves the symptoms. menuconfig: Under "Security options": [*] NSA SELinux AVC Statistics or in the kernel config: CONFIG_SECURITY_SELINUX_AVC_STATS=y Now the Kernel will boot successfully.
I originally tried this and it didn't work. I believe that selecting [*] NSA SELinux enable new secmark network controls by default. I'm testing this on a fresh install now and will verify with/without AVC statistics.
odd, because this my the kernelconfig for the (nor working) testing-system: CONFIG_SECURITY_SELINUX=y CONFIG_SECURITY_SELINUX_BOOTPARAM=y CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1 # CONFIG_SECURITY_SELINUX_DISABLE is not set CONFIG_SECURITY_SELINUX_DEVELOP=y CONFIG_SECURITY_SELINUX_AVC_STATS=y CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1 # CONFIG_SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT is not set # CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX is not set the only change was the adding of AVC_Stats, SECMARKs was disabled by default, and not enabled at any point.
i have got a bit of an update: once the selinux userland is in place, the kernel will panic as soon as the first ssh-connection is being initiated, credentials are beeing exchanged however. in other words: the kernel panics, as soon as the user typed his password into the password prompt of the ssh client and presses return... have you made any progress Matt? to clarify this bug: the panic has nothing to do with the NICs themselves, removing or deactivating them only evades triggering the bug.
Exactly same bug here. It happends when 3c59x eth1 (the internet interface) is setting up, between ifconfig and route. I've switched on CONFIG_SECURITY_SELINUX_AVC_STATS and kernel doesn't boot because of a kernel panic ... kernel BUG at security/selinux/avc.c:888! ... Here is my emerge --info Portage 2.1.6.13 (default/linux/x86/10.0/server, gcc-4.3.4, glibc-2.9_p20081201-r2, 2.6.23-hardened-r7 i686) ================================================================= System uname: Linux-2.6.23-hardened-r7-i686-AMD_Athlon-tm-_Processor-with-gentoo-1.12.13 Timestamp of tree: Sun, 08 Nov 2009 18:30:01 +0000 app-shells/bash: 4.0_p28 dev-java/java-config: 2.1.9-r1 dev-lang/python: 2.6.2-r1 sys-apps/baselayout: 1.12.13 sys-apps/sandbox: 1.6-r2 sys-devel/autoconf: 2.63-r1 sys-devel/automake: 1.9.6-r2, 1.10.2 sys-devel/binutils: 2.18-r3 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 2.2.6a virtual/os-headers: 2.6.27-r2 ACCEPT_KEYWORDS="x86" CBUILD="i686-pc-linux-gnu" CFLAGS="-O3 -march=athlon -fomit-frame-pointer -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/udev/rules.d" CXXFLAGS="-O3 -march=athlon -fomit-frame-pointer -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="distlocks fixpackages parallel-fetch protect-owned sandbox sfperms strict unmerge-orphans userfetch" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo" LDFLAGS="-Wl,-O1" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="3dnoext 3dnow acl acpi apache apache2 authdaemond bash-completion bzip2 cli cmov cracklib crypt cx8 dba doc dri dynamicplugin ethereal fortran fpu fxsr gd gdbm geoip gif gpm gps hardened hardenedphp iconv ipv6 jpeg jpeg2k latin1 ldap maildir mca mce mmx mmxext modules msr mttr mudflap mysql ncruses ncurses nls nowebdav nptl nptlonly offensive openmp pae pam pat pcre perl pge png pppd pse pse36 python react readline reflection sasl sep session snmp snortsam spell spl sql sqlite sqlite3 sse ssl syscall sysfs tcpd tiff truetype tsc vme x86 xml xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic auth_digest authn_anon authn_dbd authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock dbd deflate dir disk_cache env expires ext_filter file_cache filter headers ident imagemap include info log_config logio mem_cache mime mime_magic negotiation proxy proxy_ajp proxy_balancer proxy_connect proxy_http rewrite setenvif so speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="fbdev glint intel mach64 mga neomagic nv r128 radeon savage sis tdfx trident vesa vga via vmware voodoo" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG, LC_ALL, LINGUAS, MAKEOPTS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
I got my test system completely installed and up and running correctly - both NIC's are working and with AVC stats enabled in the kernel - I'm not sure what originally caused this now. When I was getting the panics, I was doing nothing with ssh - I didn't even have it starting as default in RC. I have done an emerge -uD world since originally bringing it up...
i'm now pretty sure what causes this bug: when requesting permissions, several functions distributed over the different cfiles that resemble the selinux-subsystem of the kernel, will call avc_has_perm() with the SID pair and the requested permission. these permissions are defines inside <kernelsource>/security/selinux/includes/av_permissions.h in the form of: ... #define COMMON_FILE__QUOTAON 0x00008000UL #define COMMON_FILE__MOUNTON 0x00010000UL ... It seems however, that av_permissions.h is not always included in the build, resulting in NULL being handed over as requested-permission to avc_has_perm(), which again calls avc_has_perm_noaudit(). Line 888 BUG_ON(!requested) in avc_has_perm_noaudit() will then kill the kernel. Adding an include for the this headfile seems to fix the problem.
Where should it be included?
I got similar problem with booting to newly configured hardened kernel. When I had just CONFIG_SECURITY_SELINUX_AVC_STATS enabled I got kernel panics just after turning on by wifi card. It helped enabling CONFIG_SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT as wrote above. Thanks
I just finished a fresh install and encountered this problem. Enabling CONFIG_SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT gets the machine to boot now. I am using sky2 and forcedeth, both seem to to cause the panic when either interface is started.
Had the same problem today with a fresh install (under Vmware Workstation). As soon as first NIC is started during boot I receive the kernel panic. Found this bug report and re-built kernel with CONFIG_SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT enabled. Boot now completes. Many thanks to those who proceeded me in finding and reporting this bug & the workaround.
I had a same problem, but my gentoo reboots normaly few times after some security tuning, emerging additional packages like syslog etc. Everything works really great, but today when I start computer it hangs out when entering runlevel 3. runlevel 1 boots completly fine. But the thing is I didn't change kernel from previous reboot ! But definetly after rebuilding a kernel with CONFIG_SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT=y machine boots like a charm. Thank you.
I'm thinking of closing this bug if no one has any further issues. 1) Looks like a workaround was found with CONFIG_SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT=y. 2) The latest stable hardened sources is 2.6.32-r9.
This kernel is off the tree now, so I'm closing this bug.
