[FC3] kernel panic after selinux-policy-targeted update

Oleg Makarenko mole at quadra.ru
Tue Jun 28 21:39:31 UTC 2005 

Oleg Makarenko wrote:

> Just to add more confusion... or probably give some hints to somebody...
>
>I have the same problem on _both_ 1.27_FC3 and 1.35_FC3 kernels.
>
>On 1.35_FC3 machine (remote 2 Xeon x686 server) sshd and mingetty were
>broken after the recent policy update.
>
>I rebooted it with enforcing=0 (using remote console) and then
>
>make -W users reload
>
>(I have policy sources installed on the machine)
>
>Everything works fine since then with
>selinux-policy-targeted-1.17.30-3.13 and kernel-smp-2.6.11-1.35_FC3. My
>policy sources have very minor changes in apache.te and mysqld.te files
>only. Some http related booleans are also different... May be the binary
>policy in the package is broken?
>
>On my home 1.27_FC3 machine I have just updated the policy and have not
>rebooted yet. Just after the update a lot of things are broken. For
>example I am unable to start a new (gnome-)terminal etc etc
>
>setenforce 0 in the root's window (that I happen to run yum from) helps.
>Now I am able to start new non root's terminal and mozilla to write this
>e-mail :)
>
>If I then do setenforce 1 and try to ls I get:
>
>[oleg at mole ~]$ ls
>ls: error while loading shared libraries: /lib/tls/librt.so.1: cannot
>apply additional memory protection after relocation: Permission denied
>
>and in /var/log/messages I see
>
>Jun 28 23:42:01 localhost kernel: audit(1119987721.476:0): avc:  denied 
>{ execmod } for  pid=5873 comm=ls path=/lib/tls/librt-2.3.5.so dev=hda3
>ino=16719 scontext=user_u:system_r:unconfined_t
>tcontext=system_u:object_r:lib_t tclass=file
>
> when I try to run ssh I get:
>
>[oleg at mole ~]$ ssh localhost
>ssh: error while loading shared libraries: /lib/libdl.so.2: cannot apply
>additional memory protection after relocation: Permission denied
>
>and
>
>Jun 28 23:44:29 localhost kernel: audit(1119987869.572:0): avc:  denied 
>{ execmod } for  pid=5882 comm=ssh path=/lib/libdl-2.3.5.so dev=hda3
>ino=2052530 scontext=user_u:system_r:unconfined_t
>tcontext=system_u:object_r:lib_t tclass=file
>
>in the root's terminal  everything works fine even with setenforcing 1
>
>hope this information may be useful.
>
>=oleg
>  
>
I have installed 1.35_FC3 kernel on my 1.27_FC3 machine and it works
fine with the latest policy without any additional tricks. With exactly
the same settings and policy 1.27_FC3 doesn't boot as /sbin/init
triggers avc: denied { execmod }.

1.14 doesn't work either while kernel-2.6.10-1.770_FC3 works fine with
the new policy.

Policy rebuilding doesn't help here so probably my 1.35_FC3 machine
actually run kernel 1.27_FC3 at the update time.

Sorry for confusion.

So I also see the problem only on 1.14 and 1.27 kernels.

=oleg

More information about the fedora-selinux-list mailing list