CONFIG_SECURITY_SELINUX_DISABLE should be disabled on 4.15/4.18 Azure

Bug #1813866 reported by Po-Hsu Lin on 2019-01-30
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ubuntu-kernel-tests
Undecided
Po-Hsu Lin
linux-azure (Ubuntu)
Undecided
Po-Hsu Lin
Xenial
Undecided
Unassigned
Bionic
Undecided
Unassigned
Cosmic
Undecided
Unassigned

Bug Description

The test_081_config_security_selinux_disable test failed on the Trusty
Azure kernel:

FAIL: test_081_config_security_selinux_disable (__main__.KernelSecurityConfigTest)
Ensure CONFIG_SECURITY_SELINUX_DISABLE is disabled (LP: #1680315)
----------------------------------------------------------------------
Traceback (most recent call last):
File "./test-kernel-security.py", line 2152, in test_081_config_security_selinux_disable
self.assertKernelConfig('SECURITY_SELINUX_DISABLE', expected)
File "./test-kernel-security.py", line 209, in assertKernelConfig
self.assertKernelConfigUnset(name)
File "./test-kernel-security.py", line 200, in assertKernelConfigUnset
'%s option was expected to be unset in the kernel config' % name)
AssertionError: SECURITY_SELINUX_DISABLE option was expected to be unset in the kernel config

Po-Hsu Lin (cypressyew) wrote :

Found on B-4.18, B-4.15, C-4.18

So, we should fix this in 4.15 and 4.18

Po-Hsu Lin (cypressyew) on 2019-01-31
summary: - CONFIG_SECURITY_SELINUX_DISABLE should be disabled on T-4.15 Azure
+ CONFIG_SECURITY_SELINUX_DISABLE should be disabled on 4.15/4.18 Azure
Po-Hsu Lin (cypressyew) on 2019-01-31
Changed in ubuntu-kernel-tests:
assignee: nobody → Po-Hsu Lin (cypressyew)
Changed in linux-azure (Ubuntu):
assignee: nobody → Po-Hsu Lin (cypressyew)
Changed in ubuntu-kernel-tests:
status: New → In Progress
Changed in linux-azure (Ubuntu):
status: New → In Progress
tags: added: azure bionic cosmic
Changed in linux-azure (Ubuntu Bionic):
status: New → Fix Committed
Changed in linux-azure (Ubuntu Cosmic):
status: New → Fix Committed
Brad Figg (brad-figg) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-bionic' to 'verification-done-bionic'. If the problem still exists, change the tag 'verification-needed-bionic' to 'verification-failed-bionic'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-bionic
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-azure - 4.18.0-1011.11

---------------
linux-azure (4.18.0-1011.11) cosmic; urgency=medium

  * linux-azure: 4.18.0-1011.11 -proposed tracker (LP: #1816081)

  * 4.15.0-1037 does not see all PCI devices on GPU VMs (LP: #1816106)
    - Revert "PCI: hv: Make sure the bus domain is really unique"

linux-azure (4.18.0-1009.9) cosmic; urgency=medium

  * Allow I/O schedulers to be loaded with modprobe in linux-azure
    (LP: #1813211)
    - [Config] linux-azure: Enable all IO schedulers as modules

  * [Hyper-V] srcu: Lock srcu_data structure in srcu_gp_start() (LP: #1802021)
    - srcu: Lock srcu_data structure in srcu_gp_start()

  * CONFIG_SECURITY_SELINUX_DISABLE should be disabled on 4.15/4.18 Azure
    (LP: #1813866)
    - [Config]: disable CONFIG_SECURITY_SELINUX_DISABLE

  [ Ubuntu: 4.18.0-15.16 ]

  * Ubuntu boot failure. 4.18.0-14 boot stalls. (does not boot) (LP: #1814555)
    - Revert "drm/i915/ringbuffer: Delay after EMIT_INVALIDATE for gen4/gen5"
  * Userspace break as a result of missing patch backport (LP: #1813873)
    - tty: Don't hold ldisc lock in tty_reopen() if ldisc present

 -- Stefan Bader <email address hidden> Fri, 15 Feb 2019 17:16:24 +0100

Changed in linux-azure (Ubuntu Cosmic):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :
Download full text (304.9 KiB)

This bug was fixed in the package linux-azure - 4.18.0-1011.11~18.04.1

---------------
linux-azure (4.18.0-1011.11~18.04.1) bionic; urgency=medium

  * linux-azure: 4.18.0-1011.11~18.04.1 -proposed tracker (LP: #1816080)

  * Miscellaneous Ubuntu changes
    - Start new release

  [ Ubuntu: 4.18.0-1011.11 ]

  * linux-azure: 4.18.0-1011.11 -proposed tracker (LP: #1816081)
  * 4.15.0-1037 does not see all PCI devices on GPU VMs (LP: #1816106)
    - Revert "PCI: hv: Make sure the bus domain is really unique"

linux-azure (4.18.0-1009.9~18.04.1) bionic; urgency=medium

  * linux-azure: 4.18.0-1009.9~18.04.1 -proposed tracker (LP: #1814733)

  * Packaging resync (LP: #1786013)
    - [Packaging] update helper scripts

  * Move bionic/linux-azure to 4.18 (LP: #1815451)
    - [Packaging] bionic/linux-azure is now a backport of cosmic/linux-azure

  * Miscellaneous Ubuntu changes
    - Start new release

  [ Ubuntu: 4.18.0-1009.9 ]

  * Allow I/O schedulers to be loaded with modprobe in linux-azure
    (LP: #1813211)
    - [Config] linux-azure: Enable all IO schedulers as modules
  * [Hyper-V] srcu: Lock srcu_data structure in srcu_gp_start() (LP: #1802021)
    - srcu: Lock srcu_data structure in srcu_gp_start()
  * CONFIG_SECURITY_SELINUX_DISABLE should be disabled on 4.15/4.18 Azure
    (LP: #1813866)
    - [Config]: disable CONFIG_SECURITY_SELINUX_DISABLE
  * Ubuntu boot failure. 4.18.0-14 boot stalls. (does not boot) (LP: #1814555)
    - Revert "drm/i915/ringbuffer: Delay after EMIT_INVALIDATE for gen4/gen5"
  * Userspace break as a result of missing patch backport (LP: #1813873)
    - tty: Don't hold ldisc lock in tty_reopen() if ldisc present

linux-azure (4.18.0-1008.8~18.04.1) bionic; urgency=medium

  * linux-azure-edge: 4.18.0-1008.8~18.04.1 -proposed tracker (LP: #1811410)

  [ Ubuntu: 4.18.0-1008.8 ]

  * linux-azure: 4.18.0-1008.8 -proposed tracker (LP: #1811415)
  * Cosmic update: 4.18.19 upstream stable release (LP: #1810820)
    - [Config] Update config after 4.18.0-14.15 rebase
  * Packaging resync (LP: #1786013)
    - [Packaging] update helper scripts
  * linux: 4.18.0-14.15 -proposed tracker (LP: #1811406)
  * CPU hard lockup with rigorous writes to NVMe drive (LP: #1810998)
    - blk-wbt: Avoid lock contention and thundering herd issue in wbt_wait
    - blk-wbt: move disable check into get_limit()
    - blk-wbt: use wq_has_sleeper() for wq active check
    - blk-wbt: fix has-sleeper queueing check
    - blk-wbt: abstract out end IO completion handler
    - blk-wbt: improve waking of tasks
  * To reduce the Realtek USB cardreader power consumption (LP: #1811337)
    - mmc: core: Introduce MMC_CAP_SYNC_RUNTIME_PM
    - mmc: rtsx_usb_sdmmc: Don't runtime resume the device while changing led
    - mmc: rtsx_usb_sdmmc: Re-work runtime PM support
    - mmc: rtsx_usb_sdmmc: Re-work card detection/removal support
    - memstick: rtsx_usb_ms: Add missing pm_runtime_disable() in probe function
    - misc: rtsx_usb: Use USB remote wakeup signaling for card insertion detection
    - memstick: Prevent memstick host from getting runtime suspended during card
      detection
    - memstick: rtsx_usb_ms: Use ms_dev() helper
    - memstick: rtsx_...

Changed in linux-azure (Ubuntu Bionic):
status: Fix Committed → Fix Released
Changed in linux-azure (Ubuntu Xenial):
status: New → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-azure - 4.18.0-1011.11

---------------
linux-azure (4.18.0-1011.11) cosmic; urgency=medium

  * linux-azure: 4.18.0-1011.11 -proposed tracker (LP: #1816081)

  * 4.15.0-1037 does not see all PCI devices on GPU VMs (LP: #1816106)
    - Revert "PCI: hv: Make sure the bus domain is really unique"

linux-azure (4.18.0-1009.9) cosmic; urgency=medium

  * Allow I/O schedulers to be loaded with modprobe in linux-azure
    (LP: #1813211)
    - [Config] linux-azure: Enable all IO schedulers as modules

  * [Hyper-V] srcu: Lock srcu_data structure in srcu_gp_start() (LP: #1802021)
    - srcu: Lock srcu_data structure in srcu_gp_start()

  * CONFIG_SECURITY_SELINUX_DISABLE should be disabled on 4.15/4.18 Azure
    (LP: #1813866)
    - [Config]: disable CONFIG_SECURITY_SELINUX_DISABLE

  [ Ubuntu: 4.18.0-15.16 ]

  * Ubuntu boot failure. 4.18.0-14 boot stalls. (does not boot) (LP: #1814555)
    - Revert "drm/i915/ringbuffer: Delay after EMIT_INVALIDATE for gen4/gen5"
  * Userspace break as a result of missing patch backport (LP: #1813873)
    - tty: Don't hold ldisc lock in tty_reopen() if ldisc present

 -- Stefan Bader <email address hidden> Fri, 15 Feb 2019 17:16:24 +0100

Changed in linux-azure (Ubuntu):
status: In Progress → Fix Released
Po-Hsu Lin (cypressyew) wrote :

test_080_config_security_selinux (__main__.KernelSecurityConfigTest)
CONFIG_SECURITY_SELINUX enabled ... ok

4.15.0-1032.33-azure

tags: added: verification-done-bionic
removed: verification-needed-bionic
Launchpad Janitor (janitor) wrote :
Download full text (12.4 KiB)

This bug was fixed in the package linux-azure - 4.15.0-1040.44

---------------
linux-azure (4.15.0-1040.44) xenial; urgency=medium

  * linux-azure: 4.15.0-1040.44 -proposed tracker (LP: #1817038)

  * Packaging resync (LP: #1786013)
    - [Packaging] resync retpoline extraction

  * CONFIG_SECURITY_SELINUX_DISABLE should be disabled on 4.15/4.18 Azure
    (LP: #1813866)
    - [Config]: disable CONFIG_SECURITY_SELINUX_DISABLE
    - [Config] Update configs

  * Allow I/O schedulers to be loaded with modprobe in linux-azure
    (LP: #1813211)
    - [Config] linux-azure: Enable all IO schedulers as modules

  * [Hyper-V] srcu: Lock srcu_data structure in srcu_gp_start() (LP: #1802021)
    - srcu: Prohibit call_srcu() use under raw spinlocks
    - srcu: Lock srcu_data structure in srcu_gp_start()

  [ Ubuntu: 4.15.0-46.49 ]

  * linux: 4.15.0-46.49 -proposed tracker (LP: #1814726)
  * mprotect fails on ext4 with dax (LP: #1799237)
    - x86/speculation/l1tf: Exempt zeroed PTEs from inversion
  * kernel BUG at /build/linux-vxxS7y/linux-4.15.0/mm/slub.c:296! (LP: #1812086)
    - iscsi target: fix session creation failure handling
    - scsi: iscsi: target: Set conn->sess to NULL when iscsi_login_set_conn_values
      fails
    - scsi: iscsi: target: Fix conn_ops double free
  * user_copy in user from ubuntu_kernel_selftests failed on KVM kernel
    (LP: #1812198)
    - selftests: user: return Kselftest Skip code for skipped tests
    - selftests: kselftest: change KSFT_SKIP=4 instead of KSFT_PASS
    - selftests: kselftest: Remove outdated comment
  * RTL8822BE WiFi Disabled in Kernel 4.18.0-12 (LP: #1806472)
    - SAUCE: staging: rtlwifi: allow RTLWIFI_DEBUG_ST to be disabled
    - [Config] CONFIG_RTLWIFI_DEBUG_ST=n
    - SAUCE: Add r8822be to signature inclusion list
  * kernel oops in bcache module (LP: #1793901)
    - SAUCE: bcache: never writeback a discard operation
  * CVE-2018-18397
    - userfaultfd: use ENOENT instead of EFAULT if the atomic copy user fails
    - userfaultfd: shmem: allocate anonymous memory for MAP_PRIVATE shmem
    - userfaultfd: shmem/hugetlbfs: only allow to register VM_MAYWRITE vmas
    - userfaultfd: shmem: add i_size checks
    - userfaultfd: shmem: UFFDIO_COPY: set the page dirty if VM_WRITE is not set
  * Ignore "incomplete report" from Elan touchpanels (LP: #1813733)
    - HID: i2c-hid: Ignore input report if there's no data present on Elan
      touchpanels
  * Vsock connect fails with ENODEV for large CID (LP: #1813934)
    - vhost/vsock: fix vhost vsock cid hashing inconsistent
  * SRU: Fix thinkpad 11e 3rd boot hang (LP: #1804604)
    - ACPI / LPSS: Force LPSS quirks on boot
  * Bionic update: upstream stable patchset 2019-01-17 (LP: #1812229)
    - scsi: sd_zbc: Fix variable type and bogus comment
    - KVM/Eventfd: Avoid crash when assign and deassign specific eventfd in
      parallel.
    - x86/apm: Don't access __preempt_count with zeroed fs
    - x86/events/intel/ds: Fix bts_interrupt_threshold alignment
    - x86/MCE: Remove min interval polling limitation
    - fat: fix memory allocation failure handling of match_strdup()
    - ALSA: hda/realtek - Add Panasonic CF-SZ6 headset jack quirk
    - ARCv2:...

Changed in linux-azure (Ubuntu Xenial):
status: Fix Committed → Fix Released
Po-Hsu Lin (cypressyew) on 2019-03-06
Changed in ubuntu-kernel-tests:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers