Hello, this is Fedora 8 linux, kernel 2.6.24.3-50.fc8 on i686, openafs 1.4.6-1.3.
Summary: If SElinux is enforcing, I occasionally get an kernel error. If SElinux is permissive, the logs suggest that the cache manager sometimes uses the context of its caller (i.e. the process that accesses AFS files) when it accesses cache files or the UDP socket. Here are examples of the kernel errors: Mar 31 11:15:29 repan kernel: openafs: Can't open inode 25076302 Mar 31 11:15:29 repan kernel: ------------[ cut here ]------------ Mar 31 11:15:29 repan kernel: kernel BUG at /usr/src/redhat/BUILD/openafs-1.4.6/src/libafs/MODLOAD-2.6.24.3-50.fc8-SP/osi_file.c:71! Mar 31 11:15:29 repan kernel: invalid opcode: 0000 [#1] SMP Mar 31 11:15:29 repan kernel: Modules linked in: i915 drm openafs(P)(U) rfcomm l2cap bluetooth fuse sunrpc nf_conntrack_ipv4 ipt_REJECT iptable_filter ip_tables nf _conntrack_ipv6 xt_state nf_conntrack xt_tcpudp ip6t_ipv6header ip6t_REJECT ip6table_filter ip6_tables x_tables cpufreq_ondemand acpi_cpufreq loop dm_multipa th ipv6 snd_hda_intel snd_seq_dummy snd_seq_oss snd_seq_midi_event snd_seq snd_seq_device snd_pcm_oss snd_mixer_oss i2c_i801 snd_pcm i2c_core parport_pc snd_timer parport snd_page_alloc button snd_hwdep snd pcspkr serio_raw tpm_infineon tpm tpm_bios soundcore sg sr_mod e1000e floppy cdrom dm_snapshot dm_zero dm_mirror dm_mod pata_acpi ata_generic ata_piix libata sd_mod scsi_mod ext3 jbd mbcache uhci_hcd ohci_hcd ehci_hcd Mar 31 11:15:29 repan kernel: Mar 31 11:15:29 repan kernel: Pid: 2802, comm: sshd Tainted: P (2.6.24.3-50.fc8 #1) Mar 31 11:15:29 repan kernel: EIP: 0060:[<f8eb234d>] EFLAGS: 00210292 CPU: 0 Mar 31 11:15:29 repan kernel: EIP is at osi_UFSOpen+0x155/0x1d4 [openafs] Mar 31 11:15:29 repan kernel: EAX: 00000026 EBX: ef437000 ECX: 00200092 EDX: 00200000 Mar 31 11:15:29 repan kernel: ESI: f7030800 EDI: ef99e478 EBP: 017ea24e ESP: f3ad8cac Mar 31 11:15:29 repan kernel: DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068 Mar 31 11:15:29 repan kernel: Process sshd (pid: 2802, ti=f3ad8000 task=ef5d13b0 task.ti=f3ad8000) Mar 31 11:15:29 repan kernel: Stack: f8ec673b 017ea24e 00000001 eface480 f8f29b60 00000006 00000000 f8e974ad Mar 31 11:15:29 repan kernel: f3ad8d40 f3ad8cf4 f3ad8cec 00000000 eface480 f6d7d000 00000006 00000000 Mar 31 11:15:29 repan kernel: 00000006 00000000 00000000 00000000 f6d3f7e0 eface480 00000000 00000000 Mar 31 11:15:29 repan kernel: Call Trace: Mar 31 11:15:29 repan kernel: [<f8e974ad>] afs_UFSHandleLink+0x115/0x1d3 [openafs] Mar 31 11:15:29 repan kernel: [<f8e92b15>] afs_lookup+0xa34/0xf3f [openafs] Mar 31 11:15:29 repan kernel: [<f8eb61bf>] afs_linux_lookup+0x70/0x16e [openafs] Mar 31 11:15:29 repan kernel: [<c04d5e50>] inode_has_perm+0x66/0x6e Mar 31 11:15:29 repan kernel: [<c0497e59>] d_alloc+0x141/0x16f Mar 31 11:15:29 repan kernel: [<c048f469>] do_lookup+0xa3/0x140 Mar 31 11:15:29 repan kernel: [<c0490b7c>] __link_path_walk+0x2cd/0xb4a Mar 31 11:15:29 repan kernel: [<c0432c17>] current_fs_time+0x13/0x15 Mar 31 11:15:29 repan kernel: [<c049143d>] link_path_walk+0x44/0xb3 Mar 31 11:15:29 repan kernel: [<c045e06a>] audit_syscall_exit+0x2c7/0x2e3 Mar 31 11:15:29 repan kernel: [<c045dd79>] audit_syscall_entry+0x10d/0x137 Mar 31 11:15:29 repan kernel: [<c0491725>] do_path_lookup+0x162/0x1c4 Mar 31 11:15:29 repan kernel: [<c04906eb>] getname+0x59/0xad Mar 31 11:15:29 repan kernel: [<c0491ef6>] __user_walk_fd+0x2f/0x40 Mar 31 11:15:29 repan kernel: [<c0487e55>] sys_faccessat+0x9c/0x133 Mar 31 11:15:29 repan kernel: [<c045e06a>] audit_syscall_exit+0x2c7/0x2e3 Mar 31 11:15:29 repan kernel: [<c045dd79>] audit_syscall_entry+0x10d/0x137 Mar 31 11:15:29 repan kernel: [<c0487f0b>] sys_access+0x1f/0x23 Mar 31 11:15:29 repan kernel: [<c04051da>] syscall_call+0x7/0xb Mar 31 11:15:29 repan kernel: ======================= Mar 31 11:15:29 repan kernel: Code: ee f8 85 d2 74 04 f0 ff 42 60 b9 02 00 00 00 e8 d2 55 5d c7 3d 00 f0 ff ff 76 14 89 6c 24 04 c7 04 24 3b 67 ec f8 e8 0d d4 57 c7 <0f> 0b eb fe 89 43 04 8b 40 0c 8b 40 0c 8b 40 3c 89 03 b8 40 70 Mar 31 11:15:29 repan kernel: EIP: [<f8eb234d>] osi_UFSOpen+0x155/0x1d4 [openafs] SS:ESP 0068:f3ad8cac Mar 31 11:15:29 repan kernel: ---[ end trace ece46aeb510c829f ]--- Apr 1 08:07:15 repan kernel: openafs: Can't open inode 25076053 Apr 1 08:07:15 repan kernel: ------------[ cut here ]------------ Apr 1 08:07:15 repan kernel: kernel BUG at /usr/src/redhat/BUILD/openafs-1.4.6/src/libafs/MODLOAD-2.6.24.3-50.fc8-SP/osi_file.c:71! Apr 1 08:07:15 repan kernel: invalid opcode: 0000 [#1] SMP Apr 1 08:07:15 repan kernel: Modules linked in: i915 drm openafs(P)(U) rfcomm l2cap bluetooth fuse sunrpc nf_conntrack_ipv4 ipt_REJECT iptable_filter ip_tables nf_conntrack_ipv6 xt_state nf_conntrack xt_tcpudp ip6t_ipv6header ip6t_REJECT ip6table_filter ip6_tables x_tables cpufreq_ondemand acpi_cpufreq loop dm_multipath ipv6 snd_hda_intel snd_seq_dummy snd_seq_oss snd_seq_midi_event snd_seq snd_seq_device snd_pcm_oss snd_mixer_oss snd_pcm snd_timer snd_page_alloc snd_hwdep e1000e i2c_i801 tpm_infineon snd sr_mod parport_pc i2c_core tpm serio_raw parport soundcore button pcspkr tpm_bios floppy cdrom sg dm_snapshot dm_zero dm_mirror dm_mod pata_acpi ata_generic ata_piix libata sd_mod scsi_mod ext3 jbd mbcache uhci_hcd ohci_hcd ehci_hcd Apr 1 08:07:15 repan kernel: Apr 1 08:07:15 repan kernel: Pid: 4136, comm: sshd Tainted: P (2.6.24.3-50.fc8 #1) Apr 1 08:07:15 repan kernel: EIP: 0060:[<f8eb234d>] EFLAGS: 00210296 CPU: 0 Apr 1 08:07:15 repan kernel: EIP is at osi_UFSOpen+0x155/0x1d4 [openafs] Apr 1 08:07:15 repan kernel: EAX: 00000026 EBX: f6cbd000 ECX: 00200092 EDX: 00200000 Apr 1 08:07:15 repan kernel: ESI: f7016800 EDI: ef979a48 EBP: 017ea155 ESP: e65d8ca4 Apr 1 08:07:15 repan kernel: DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068 Apr 1 08:07:15 repan kernel: Process sshd (pid: 4136, ti=e65d8000 task=ef576690 task.ti=e65d8000) Apr 1 08:07:15 repan kernel: Stack: f8ec673b 017ea155 00000000 ef67b038 ef67b038 ef67b3f0 00000000 f8e712ec Apr 1 08:07:15 repan kernel: f7f38180 f8f1fc00 f8f1fc00 00000000 f8f1fc00 00000004 f8e7ce4c e65d8cfc Apr 1 08:07:15 repan kernel: e5865c10 f8f1fc00 e65d8d58 e65d8d90 00000000 f8e7d484 efab6480 f8f1fc00 Apr 1 08:07:15 repan kernel: Call Trace: Apr 1 08:07:15 repan kernel: [<f8e712ec>] DRead+0x2cc/0x35d [openafs] Apr 1 08:07:15 repan kernel: [<f8e7ce4c>] FindItem+0x24/0xb7 [openafs] Apr 1 08:07:15 repan kernel: [<f8e7d484>] afs_dir_LookupOffset+0x13/0x55 [openafs] Apr 1 08:07:15 repan kernel: [<f8e926f4>] afs_lookup+0x613/0xf3f [openafs] Apr 1 08:07:15 repan kernel: [<c04d0fbf>] search_process_keyrings+0x10d/0x1e0 Apr 1 08:07:15 repan kernel: [<c04d15cc>] request_key_and_link+0x24/0x284 Apr 1 08:07:15 repan kernel: [<f8eb61bf>] afs_linux_lookup+0x70/0x16e [openafs] Apr 1 08:07:15 repan kernel: [<c04d5e50>] inode_has_perm+0x66/0x6e Apr 1 08:07:15 repan kernel: [<c0497e59>] d_alloc+0x141/0x16f Apr 1 08:07:15 repan kernel: [<c048f469>] do_lookup+0xa3/0x140 Apr 1 08:07:15 repan kernel: [<c0490b7c>] __link_path_walk+0x2cd/0xb4a Apr 1 08:07:15 repan kernel: [<c0432c17>] current_fs_time+0x13/0x15 Apr 1 08:07:15 repan kernel: [<c049143d>] link_path_walk+0x44/0xb3 Apr 1 08:07:15 repan kernel: [<c045e06a>] audit_syscall_exit+0x2c7/0x2e3 Apr 1 08:07:15 repan kernel: [<c045dd79>] audit_syscall_entry+0x10d/0x137 Apr 1 08:07:15 repan kernel: [<c0491725>] do_path_lookup+0x162/0x1c4 Apr 1 08:07:15 repan kernel: [<c04906eb>] getname+0x59/0xad Apr 1 08:07:15 repan kernel: [<c0491ef6>] __user_walk_fd+0x2f/0x40 Apr 1 08:07:15 repan kernel: [<c0487e55>] sys_faccessat+0x9c/0x133 Apr 1 08:07:15 repan kernel: [<c045e06a>] audit_syscall_exit+0x2c7/0x2e3 Apr 1 08:07:15 repan kernel: [<c045dd79>] audit_syscall_entry+0x10d/0x137 Apr 1 08:07:15 repan kernel: [<c0487f0b>] sys_access+0x1f/0x23 Apr 1 08:07:15 repan kernel: [<c04051da>] syscall_call+0x7/0xb Apr 1 08:07:15 repan kernel: ======================= Apr 1 08:07:15 repan kernel: Code: ee f8 85 d2 74 04 f0 ff 42 60 b9 02 00 00 00 e8 d2 55 5d c7 3d 00 f0 ff ff 76 14 89 6c 24 04 c7 04 24 3b 67 ec f8 e8 0d d4 57 c7 <0f> 0b eb fe 89 43 04 8b 40 0c 8b 40 0c 8b 40 3c 89 03 b8 40 70 Apr 1 08:07:15 repan kernel: EIP: [<f8eb234d>] osi_UFSOpen+0x155/0x1d4 [openafs] SS:ESP 0068:e65d8ca4 Apr 1 08:07:15 repan kernel: ---[ end trace 8495d78836432f9a ]--- Below are samples of SELinux messages logged when SELinux is permissive. Note that SELinux thinks that sshd or dbus-daemon are accessing UDP Port 7001 or /usr/vice/cache/D1/V2774 (I verified the inum). [EMAIL PROTECTED] sealert -l 27a6d581-4491-4982-a7e7-ae17b6edad4b Summary: SELinux is preventing sshd (sshd_t) "write" to <Unknown> (initrc_t). Detailed Description: [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.] SELinux denied access requested by sshd. It is not expected that this access is required by sshd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:sshd_t:s0-s0:c0.c1023 Target Context system_u:system_r:initrc_t:s0 Target Objects None [ udp_socket ] Source sshd Source Path /usr/sbin/sshd Port <Unknown> Host repan.regent.e-technik.tu-muenchen.de Source RPM Packages openssh-server-4.7p1-4.fc8 Target RPM Packages Policy RPM selinux-policy-3.0.8-93.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name catchall Host Name repan.regent.e-technik.tu-muenchen.de Platform Linux repan.regent.e-technik.tu-muenchen.de 2.6.24.3-50.fc8 #1 SMP Thu Mar 20 14:47:10 EDT 2008 i686 i686 Alert Count 8 First Seen Mon Mar 31 11:15:28 2008 Last Seen Thu Apr 3 10:27:49 2008 Local ID 27a6d581-4491-4982-a7e7-ae17b6edad4b Line Numbers Raw Audit Messages host=repan.regent.e-technik.tu-muenchen.de type=AVC msg=audit(1207211269.496:427): avc: denied { write } for pid=5324 comm="sshd" lport=7001 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0 tclass=udp_socket host=repan.regent.e-technik.tu-muenchen.de type=SYSCALL msg=audit(1207211269.496:427): arch=40000003 syscall=33 success=no exit=-2 a0=bfc84137 a1=0 a2=46300c a3=b880cd20 items=0 ppid=2204 pid=5324 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null) [EMAIL PROTECTED] sealert -l 85f67f82-0bde-4514-ad9f-30a46e7e3bd8 Summary: SELinux is preventing dbus-daemon (system_dbusd_t) "write" to ./V2774 (usr_t). Detailed Description: [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.] SELinux denied access requested by dbus-daemon. It is not expected that this access is required by dbus-daemon and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./V2774, restorecon -v './V2774' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:system_dbusd_t:s0 Target Context system_u:object_r:usr_t:s0 Target Objects ./V2774 [ file ] Source dbus-daemon Source Path /bin/dbus-daemon Port <Unknown> Host repan.regent.e-technik.tu-muenchen.de Source RPM Packages dbus-1.1.2-9.fc8 Target RPM Packages Policy RPM selinux-policy-3.0.8-93.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name catchall_file Host Name repan.regent.e-technik.tu-muenchen.de Platform Linux repan.regent.e-technik.tu-muenchen.de 2.6.24.3-50.fc8 #1 SMP Thu Mar 20 14:47:10 EDT 2008 i686 i686 Alert Count 1 First Seen Thu Apr 3 10:42:26 2008 Last Seen Thu Apr 3 10:42:26 2008 Local ID 85f67f82-0bde-4514-ad9f-30a46e7e3bd8 Line Numbers Raw Audit Messages host=repan.regent.e-technik.tu-muenchen.de type=AVC msg=audit(1207212146.467:439): avc: denied { write } for pid=2021 comm="dbus-daemon" name="V2774" dev=dm-0 ino=25075960 scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file host=repan.regent.e-technik.tu-muenchen.de type=SYSCALL msg=audit(1207212146.467:439): arch=40000003 syscall=5 success=no exit=-2 a0=b995de38 a1=98800 a2=0 a3=0 items=0 ppid=1 pid=2021 auid=4294967295 uid=81 gid=81 euid=81 suid=81 fsuid=81 egid=81 sgid=81 fsgid=81 tty=(none) comm="dbus-daemon" exe="/bin/dbus-daemon" subj=system_u:system_r:system_dbusd_t:s0 key=(null) Hans -- Hans Ranke [EMAIL PROTECTED] Lehrstuhl fuer Institute for Entwurfsautomatisierung Electronic Design Automation Technische Universitaet Muenchen, Germany Phone +49 89 289 23660 Fax +49 89 289 63666 _______________________________________________ OpenAFS-devel mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-devel
