[FC3] kernel panic after selinux-policy-targeted update

Oleg Makarenko mole at quadra.ru
Tue Jun 28 20:10:21 UTC 2005 

Stephen Smalley wrote:

>On Tue, 2005-06-28 at 13:46 -0400, Chuck Anderson wrote:
>  
>
>>I updated the bz ticket #161867.  All the systems I had this problem
>>with were running 2.6.11-1.27_FC3 at the time the update was done. 
>>The systems running 2.6.11-1.35_FC3 didn't experience the problem.  So
>>it does appear that the problem is the older kernel and the newer
>>policy.
>>    
>>
>
>Hmmm...interesting, since AFAIK, the SELinux code didn't change between
>those two kernels, and FC3 kernel has no SELinux-related patches in it
>(it just uses the upstream code).  Side effect of another patch in the
>FC3 kernel?
>
>  
>
Just to add more confusion... or probably give some hints to somebody...

I have the same problem on _both_ 1.27_FC3 and 1.35_FC3 kernels.

On 1.35_FC3 machine (remote 2 Xeon x686 server) sshd and mingetty were
broken after the recent policy update.

I rebooted it with enforcing=0 (using remote console) and then

make -W users reload

(I have policy sources installed on the machine)

Everything works fine since then with
selinux-policy-targeted-1.17.30-3.13 and kernel-smp-2.6.11-1.35_FC3. My
policy sources have very minor changes in apache.te and mysqld.te files
only. Some http related booleans are also different... May be the binary
policy in the package is broken?

On my home 1.27_FC3 machine I have just updated the policy and have not
rebooted yet. Just after the update a lot of things are broken. For
example I am unable to start a new (gnome-)terminal etc etc

setenforce 0 in the root's window (that I happen to run yum from) helps.
Now I am able to start new non root's terminal and mozilla to write this
e-mail :)

If I then do setenforce 1 and try to ls I get:

[oleg at mole ~]$ ls
ls: error while loading shared libraries: /lib/tls/librt.so.1: cannot
apply additional memory protection after relocation: Permission denied

and in /var/log/messages I see

Jun 28 23:42:01 localhost kernel: audit(1119987721.476:0): avc:  denied 
{ execmod } for  pid=5873 comm=ls path=/lib/tls/librt-2.3.5.so dev=hda3
ino=16719 scontext=user_u:system_r:unconfined_t
tcontext=system_u:object_r:lib_t tclass=file

 when I try to run ssh I get:

[oleg at mole ~]$ ssh localhost
ssh: error while loading shared libraries: /lib/libdl.so.2: cannot apply
additional memory protection after relocation: Permission denied

and

Jun 28 23:44:29 localhost kernel: audit(1119987869.572:0): avc:  denied 
{ execmod } for  pid=5882 comm=ssh path=/lib/libdl-2.3.5.so dev=hda3
ino=2052530 scontext=user_u:system_r:unconfined_t
tcontext=system_u:object_r:lib_t tclass=file

in the root's terminal  everything works fine even with setenforcing 1

hope this information may be useful.

=oleg

More information about the fedora-selinux-list mailing list