[JAUNTY] SRU: LP#357041: fix warnings about open_file_mask_to_av with unknown mode when SELinux is enabled.
Tim Gardner
tim.gardner at canonical.com
Mon Jun 15 13:26:13 UTC 2009
Manoj Iyer wrote:
> SRU JUSTIFICATION:
>
> IMPACT: Warnings about open_file_mask_to_av with unknown mode when
> SELinux is enabled, the upstream cherry pick patch to fix this
> causes a kernel panic when SELinux is enabled.
>
> Fix: upstream cheery-pick to check open perms in dentry_open not
> inode_permission fixes the warning, and a sauce patch fixes the kernel
> panic. Sauce patch is not applicable to Linus tree as the offending code
> as been removed there.
>
> TEST: Test kernel in http://people.ubuntu.com/~manjo/lp357041-jaunty/ was
> tested by community and reported to work.
>
> The following changes since commit
> 8d6d84357a3631767f391571e8741c95d829a92d:
> Stefan Bader (1):
> UBUNTU: Forgotten update to control files
>
> are available in the git repository at:
>
> git://kernel.ubuntu.com/manjo/ubuntu-jaunty.git lp357041
>
> Eric Paris (1):
> SELinux: check open perms in dentry_open not inode_permission
>
> Manoj Iyer (1):
> UBUNTU: SAUCE: Fix kernel panic when SELinux is enabled.
>
> security/selinux/hooks.c | 61
> +++++++++++++++++++++++----------------------
> 1 files changed, 31 insertions(+), 30 deletions(-)
>
> From da5d6df15cc1e71503a7c561999e98fdd2bc469d Mon Sep 17 00:00:00 2001
> From: Manoj Iyer <manoj.iyer at canonical.com>
> Date: Thu, 4 Jun 2009 15:36:41 -0500
> Subject: [PATCH] UBUNTU: SAUCE: Fix kernel panic when SELinux is enabled.
>
> OriginalAuthor: Eric Paris <eparis at redhat.com>
> BugLink: https://bugs.launchpad.net/ubuntu/jaunty/+source/linux/+bug/357041
>
> Signed-off-by: Manoj Iyer <manoj.iyer at canonical.com>
> ---
> security/selinux/hooks.c | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index f923577..02f3a16 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -4558,7 +4558,7 @@ static int selinux_ip_postroute_iptables_compat(struct sock *sk,
> if (err)
> return err;
>
> - if (send_perm != 0)
> + if (!send_perm)
> return 0;
>
> err = sel_netport_sid(sk->sk_protocol,
The original description in the bug report was a complaint about
harmless log messages. Unless there are enough of these to be considered
a Denial-of-service or log filler, then I'd say NAK. The issue is
already fixed upstream, and you _did_ have some trouble producing a test
kernel that didn't panic. I think the regression potential is too high
for what I assume is a relatively minor symptom.
rtg
--
Tim Gardner tim.gardner at canonical.com
More information about the kernel-team
mailing list