Ubuntu
linux package

SECURITY_SELINUX_DISABLE should be enable on X s390x

Bug #1813721 reported by Po-Hsu Lin
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
QA Regression Testing
Fix Released
Undecided
Unassigned
ubuntu-kernel-tests
Fix Released
Undecided
Unassigned
linux (Ubuntu)
Invalid
Undecided
Unassigned
Xenial
Invalid
Undecided
Po-Hsu Lin

Bug Description

== SRU Justification ==
Security team requires the CONFIG_SECURITY_SELINUX_DISABLE should be
enabled in all of our kernels.

Currently it's not enabled for s390x in Xenial. And causing the
test_081_config_security_selinux_disable test in ubuntu_kernel_security
test suite complaining about this:

  ======================================================================
  FAIL: test_081_config_security_selinux_disable (__main__.KernelSecurityConfigTest)
  Ensure CONFIG_SECURITY_SELINUX_DISABLE is disabled (LP: #1680315)
  ----------------------------------------------------------------------
  Traceback (most recent call last):
    File "./test-kernel-security.py", line 2158, in test_081_config_security_selinux_disable
      self.assertKernelConfig('SECURITY_SELINUX_DISABLE', expected)
    File "./test-kernel-security.py", line 207, in assertKernelConfig
      self.assertKernelConfigSet(name)
    File "./test-kernel-security.py", line 194, in assertKernelConfigSet
      '%s option was expected to be set in the kernel config' % name)
  AssertionError: SECURITY_SELINUX_DISABLE option was expected to be set in the kernel config

== Test ==
A test kernel could be found here:
https://people.canonical.com/~phlin/kernel/lp-1813721-s390x-selinux/

This issue can be verified with a q-r-t test:
test_081_config_security_selinux_disable, the test will pass with the
patched kernel.

  test_081_config_security_selinux_disable (__main__.KernelSecurityConfigTest)
  Ensure CONFIG_SECURITY_SELINUX_DISABLE is disabled (LP: #1680315) ... (skipped: l) ok

== Regression Potential ==
Low, we already have this config enabled in all kernels except this
specific Xenial s390x.

  ----------------------------------------------------------------------

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: linux-image-4.4.0-142-generic 4.4.0-142.168
ProcVersionSignature: Ubuntu 4.4.0-142.168-generic 4.4.167
Uname: Linux 4.4.0-142-generic s390x
NonfreeKernelModules: zfs zunicode zcommon znvpair zavl
AlsaDevices: Error: command ['ls', '-l', '/dev/snd/'] failed with exit code 2: ls: cannot access '/dev/snd/': No such file or directory
AplayDevices: Error: [Errno 2] No such file or directory: 'aplay'
ApportVersion: 2.20.1-0ubuntu2.18
Architecture: s390x
ArecordDevices: Error: [Errno 2] No such file or directory: 'arecord'
CRDA: Error: command ['iw', 'reg', 'get'] failed with exit code 1: nl80211 not found.
CurrentDmesg:

Date: Tue Jan 29 02:30:42 2019
HibernationDevice: RESUME=UUID=ca468a9c-9563-442c-85c6-6055e800a66e
IwConfig: Error: [Errno 2] No such file or directory: 'iwconfig'
Lspci:

Lsusb: Error: command ['lsusb'] failed with exit code 1:
PciMultimedia:

ProcFB: Error: [Errno 2] No such file or directory: '/proc/fb'
ProcKernelCmdLine: root=UUID=b65b756a-ba4e-4c53-aa32-0db2bdb50bb3 crashkernel=196M
RelatedPackageVersions:
 linux-restricted-modules-4.4.0-142-generic N/A
 linux-backports-modules-4.4.0-142-generic N/A
 linux-firmware 1.157.21
RfKill: Error: [Errno 2] No such file or directory: 'rfkill'
SourcePackage: linux
UpgradeStatus: No upgrade log present (probably fresh install)

See original description
Revision history for this message
Po-Hsu Lin (cypressyew) wrote :
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote : Missing required logs.

This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:

apport-collect 1813721

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
Kleber Sacilotto de Souza (kleber-souza)
Changed in linux (Ubuntu Xenial):
status: New → Confirmed
Changed in linux (Ubuntu):
status: Incomplete → Won't Fix
status: Won't Fix → Invalid
Po-Hsu Lin (cypressyew)
Changed in linux (Ubuntu Xenial):
assignee: nobody → Po-Hsu Lin (cypressyew)
Changed in ubuntu-kernel-tests:
assignee: nobody → Po-Hsu Lin (cypressyew)
status: New → In Progress
Changed in linux (Ubuntu Xenial):
status: Confirmed → In Progress
Po-Hsu Lin (cypressyew)
description: updated
Po-Hsu Lin (cypressyew)
description: updated
Po-Hsu Lin (cypressyew)
tags: added: ubuntu-qrt-kernel-security
Revision history for this message
Steve Beattie (sbeattie) wrote :

Turning this option off is only significant in 4.12 kernels and newer, where the LSM hooks make use of __ro_after_init if CONFIG_SECURITY_SELINUX_DISABLE is disabled.

Per the discussion on the kernel-team list (https://lists.ubuntu.com/archives/kernel-team/2019-July/102026.html), I've made sure the test won't fail for kernels older than 4.12 regardless of whether CONFIG_SECURITY_SELINUX_DISABLE is set or unset: https://git.launchpad.net/qa-regression-testing/commit/?id=3a1752a5f5743fb330336b4d01f0a6a4200fe31f

Thanks.

Changed in qa-regression-testing:
status: New → Fix Released
Po-Hsu Lin (cypressyew)
Changed in linux (Ubuntu Xenial):
status: In Progress → Invalid
Changed in ubuntu-kernel-tests:
status: In Progress → Fix Released
assignee: Po-Hsu Lin (cypressyew) → nobody
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.