** Description changed: + SRU Justification: + + Impact: kernel panics when SELinux is enabled. + + Fix: A non-upstream patch from Eric Paris fixes this issue specifically + for Ubuntu. + + "Ubuntu users were experiencing a kernel panic when they enabled SELinuxdue to an old bug in our handling of the compatibility mode network controls, introduced Jan 1 2008 effad8df44261031a882e1a895415f7186a5098e + Most distros have not used the compat_net code since the new code was introduced and so noone has hit this problem before. Ubuntu is the only distro I know that enabled that legacy cruft by default. But, I was ask + to look at it and found that the above patch changed a call to avc_has_perm from if(send_perm) to if(!send_perm) in selinux_ip_postroute_iptables_compat(). The result is that users who turn on SELinux and have compat_net set can (and oftern will) BUG() in avc_has_perm_noaudit since they are requesting 0 permissions. + + This patch corrects that accidental bug introduction." + + Testcase: Testkernel (see below) + + --- + I believe this is an accidental regression related to: https://bugs.launchpad.net/bugs/357041 Several patches were tried for this bug, with most of them causing kernel panics similar to the one attached. The final patch was tested out for the -14 kernel and worked ok. Thanks, Caleb
-- selinux kernel panic 2.6.28-13.45 https://bugs.launchpad.net/bugs/395219 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
