Re: AVC denied for docker while trying to set labels for tmpfs mounts

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Jul 23, 2021 at 10:52 AM Sujithra P <sujithrap@xxxxxxxxx> wrote:
> Thanks Ondrej.  Sorry about that, please find the details below.
>
> On Fri, Jul 23, 2021 at 1:31 AM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote:
> >
> > On Thu, Jul 22, 2021 at 9:25 PM Sujithra P <sujithrap@xxxxxxxxx> wrote:
> > > Thanks Ondrej.
> > >
> > > Kernel version:  Linux #2 SMP Fri Apr 23 09:05:57 PDT 2021 x86_64
> > > x86_64 x86_64 GNU/Linux
> >
> > Somehow that string doesn't contain the actual version :) uname -r
> > should return the right version string (something like
> > "4.18.0-305.el8.x86_64").
>
> uname -r
> 5.4.17-2102.201.3.el8uek.x86_64

Ah, so this was actually a crucial bit of information. When I
installed this kernel from Oracle, I was able to reproduce the bug
using my artificial reproducer. I also reproduced it on plain 5.4.17
upstream kernel, so it's not related to Oracle's modifications.

The bug was indeed caused by the race condition I found, but in
kernels before 5.6 the code used to be a little different and lead to
the bug you are seeing. After commit 66f8e2f03c02 ("selinux: sidtab
reverse lookup hash table"), the race condition was still there, but
it wasn't able to cause the bug any more (or it became extremely
unlikely, at least).

So to avoid the bug you need to either switch to a kernel that
includes the aforementioned commit (hint: stock RHEL/CentOS kernels in
version 8.3 and above already have that commit backported) or get
Oracle to either backport the commit (+ any relevant follow ups) or
fix the race condition. I will submit a patch to fix the race
condition upstream so if you decide to report this problem to Oracle I
can provide you a link to the patch once I post it (it may take a
couple of days/weeks before I get it ready).

Hope this helps,

--
Ondrej Mosnacek
Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure




[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux