'cannot relabel' miscue on shutdown ....
Russell Coker
russell at coker.com.au
Tue Apr 5 05:45:06 UTC 2005
On Monday 04 April 2005 09:47, Tom London <selinux at gmail.com> wrote:
> Running targeted/enforcing, latest rawhide.
This one happens under strict as well.
> Each time I halt/reboot, I seem to get a message like the following
> (the 'funny text' varies):
Firstly the method of reproducing this is to kill -1 the top level process.
For a console login that means killing /bin/login, for a remote login that
means the sshd for the session in question. Much easier than rebooting the
machine to reproduce the bug. ;)
> Apr 3 11:58:51 localhost su[3659]: Warning! Could not relabel
> ,\uffff\uff7f\u0661\uffff with user_u:object_r:devpts_t, not
> relabeling.
Here's the strace output from reproducing that:
waitpid(-1, [{WIFSIGNALED(s) && WTERMSIG(s) == SIGHUP}], WSTOPPED) = 26120
setxattr("/dev/pts/1", "security.selinux", "user_u:object_r:user_devpts_t",
30, ) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/locale.alias", O_RDONLY) = 3
[read locale stuff]
close(3) = 0
munmap(0xb7d40000, 4096) = 0
[try unsuccessfully to open other locale files]
time([1112716582]) = 1112716582
stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=785, ...}) = 0
stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=785, ...}) = 0
stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=785, ...}) = 0
socket(PF_FILE, SOCK_DGRAM, 0) = 3
fcntl64(3, F_SETFD, FD_CLOEXEC) = 0
connect(3, {sa_family=AF_FILE, path="/dev/log"}, 16) = 0
send(3, "<37>Apr 6 01:56:22 su[26119]: Warning! Could not relabel
\374\322\360\277)1\307 with user_u:object_r:user_devpts_t, not relabeling.
\n", 119, MSG_NOSIGNAL) = 119
So it seems that the code does the correct thing but just logs bogus data.
The below code from pam-0.78-selinux.patch in the PAM package source seems to
be the culprit. If the variable tty already has "/dev/" at the start then
ttybuf will not be initialised.
+ if(strncmp("/dev/", tty, 5)) {
+ snprintf(ttybuf,sizeof(ttybuf),"/dev/%s",tty);
+ ptr = ttybuf;
+ }
+ else
+ ptr = tty;
+
+ if (setfilecon(ptr, context))
+ {
+ syslog(LOG_NOTICE,
+ _("Warning! Could not relabel %s with %s, not relabeling.\n"),
+ ttybuf,context);
+ }
I've filed a bugzilla report:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=153711
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
More information about the fedora-selinux-list
mailing list