Package: linux-image-2.6.26-2-686 Version: 2.6.26-15lenny2 Severity: important
In my tests the latest 2.6 kernels for i386 (both Xen and non-Xen) and for AMD64 Xen will crash if SE Linux is enabled. The crash occurs even if SE Linux is in permissive mode, so the kernel parameter "selinux=0" is required to boot the machine after installing such a kernel. Here is a back-trace from an AMD64 system: [ 8.252947] kernel BUG at security/selinux/avc.c:883! [ 8.252954] invalid opcode: 0000 [1] SMP [ 8.252961] CPU 0 [ 8.252966] Modules linked in: ext3 jbd mbcache thermal_sys [ 8.252978] Pid: 0, comm: swapper Not tainted 2.6.26-2-xen-amd64 #1 [ 8.252985] RIP: e030:[<ffffffff802e61dd>] [<ffffffff802e61dd>] avc_has_perm_noaudit+0x26/0x379 [ 8.253002] RSP: e02b:ffffffff80595a00 EFLAGS: 00010246 [ 8.253008] RAX: 0000000000000000 RBX: 0000000000000011 RCX: 0000000000000000 [ 8.253015] RDX: 0000000000000011 RSI: 0000000000000009 RDI: 0000000000000001 [ 8.253022] RBP: 0000000000000009 R08: 0000000000000000 R09: ffffffff80595ab0 [ 8.253028] R10: 0000000000000007 R11: ffffffff803e932b R12: 0000000000000011 [ 8.253034] R13: 0000000000000001 R14: 0000000000000009 R15: ffffffff80595b40 [ 8.253044] FS: 00007f7e2649f6e0(0000) GS:ffffffff80539000(0000) knlGS:0000000000000000 [ 8.253053] CS: e033 DS: 0000 ES: 0000 [ 8.253059] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 8.253066] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 [ 8.253073] Process swapper (pid: 0, threadinfo ffffffff80552000, task ffffffff804fe460) [ 8.253081] Stack: 0000000000000000 ffffffff80595ab0 0000000000000000 0000001200000000 [ 8.253095] 0012880000000012 000000010000000c ffffffff804fe460 ffffffff00000000 [ 8.253106] 00000000ffffffff 00000001ffffffff ffffffff80595b90 ffffffff8026fe3e [ 8.253115] Call Trace: [ 8.253122] <IRQ> [<ffffffff8026fe3e>] ? mod_zone_page_state+0x2c/0x5b [ 8.253135] [<ffffffff802e7049>] ? avc_has_perm+0x2b/0x5b [ 8.253143] [<ffffffff802efd58>] ? sel_netport_sid+0x13b/0x16b [ 8.253151] [<ffffffff802e9ec1>] ? selinux_ip_postroute+0x1eb/0x38b [ 8.253160] [<ffffffff803dfab8>] ? nf_iterate+0x41/0x7d [ 8.253168] [<ffffffff803e8e81>] ? ip_finish_output+0x0/0x241 [ 8.253175] [<ffffffff803dfb51>] ? nf_hook_slow+0x5d/0xbe [ 8.253182] [<ffffffff803e8e81>] ? ip_finish_output+0x0/0x241 [ 8.253189] [<ffffffff803e93b4>] ? ip_output+0x89/0xa1 [ 8.253196] [<ffffffff803e8b3d>] ? ip_local_out+0x9/0x1f [ 8.253204] [<ffffffff803e8e12>] ? ip_push_pending_frames+0x2bf/0x32e [ 8.253211] [<ffffffff804075b4>] ? icmp_send+0x4fc/0x54b [ 8.253220] [<ffffffff8020e911>] ? xen_clocksource_read+0xd/0x9c [ 8.253228] [<ffffffff8020e9f1>] ? profile_pc+0x21/0x53 [ 8.253235] [<ffffffff803e08a8>] ? ipv4_link_failure+0x15/0x45 [ 8.253242] [<ffffffff804051cb>] ? arp_error_report+0x24/0x2d [ 8.253250] [<ffffffff803cdcb2>] ? neigh_timer_handler+0x21d/0x313 [ 8.253257] [<ffffffff803cda95>] ? neigh_timer_handler+0x0/0x313 [ 8.253264] [<ffffffff802356b7>] ? run_timer_softirq+0x190/0x237 [ 8.253273] [<ffffffff80231ca0>] ? __do_softirq+0x77/0x103 [ 8.253280] [<ffffffff8020c13c>] ? call_softirq+0x1c/0x28 [ 8.253287] [<ffffffff8020e08a>] ? do_softirq+0x55/0xbb [ 8.253294] [<ffffffff8020e16d>] ? do_IRQ+0x7d/0x9a [ 8.253301] [<ffffffff8037d41c>] ? evtchn_do_upcall+0x13c/0x1fc [ 8.253309] [<ffffffff8020bbde>] ? do_hypervisor_callback+0x1e/0x30 [ 8.253315] <EOI> [<ffffffff8020e795>] ? xen_safe_halt+0x90/0xa6 [ 8.253326] [<ffffffff8020a0c8>] ? xen_idle+0x2e/0x66 [ 8.253332] [<ffffffff80209cd6>] ? cpu_idle+0x97/0xb9 [ 8.253338] [ 8.253342] [ 8.253346] Code: 41 5e 41 5f c3 41 57 41 56 41 89 f6 41 55 41 89 fd 41 54 55 53 48 83 ec 68 85 c9 89 4c 24 18 44 89 44 24 14 4c 89 4c 24 08 75 04 <0f> 0b eb fe 0f b7 f2 48 c7 c0 50 f6 58 80 46 8d 24 b5 00 00 00 [ 8.253408] RIP [<ffffffff802e61dd>] avc_has_perm_noaudit+0x26/0x379 [ 8.253417] RSP <ffffffff80595a00> [ 8.253424] ---[ end trace a7e19496a9366ab4 ]--- [ 8.253431] Kernel panic - not syncing: Aiee, killing interrupt handler! I can provide i386 back-traces if desired. If you want a non-Xen back-trace I could do that too, but getting a serial console going would take a little time so I hope you can track this down without it. -- Package-specific info: -- System Information: Debian Release: 5.0.1 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.26-1-686 (SMP w/1 CPU core) Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=ANSI_X3.4-1968) (ignored: LC_ALL set to C) Shell: /bin/sh linked to /bin/bash Versions of packages linux-image-2.6.26-2-686 depends on: ii debconf [debconf-2.0] 1.5.24 Debian configuration management sy ii initramfs-tools [linux-initra 0.92o tools for generating an initramfs ii module-init-tools 3.4-1 tools for managing Linux kernel mo Versions of packages linux-image-2.6.26-2-686 recommends: ii libc6-i686 2.7-18 GNU C Library: Shared libraries [i Versions of packages linux-image-2.6.26-2-686 suggests: ii grub 0.97-47lenny2 GRand Unified Bootloader (Legacy v pn linux-doc-2.6.26 <none> (no description available) -- debconf information excluded -- To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
