On Thu, 27 May 2004 18:39, Matthew East <matthew.east(a)iue.it> wrote:
I cannot build and install a kernel with selinux enabled. Here is
what
happens towards the end of the modules_install stage:
if [ -r System.map ]; then /sbin/depmod -ae -F System.map -b
/var/tmp/kernel-2.6.6-root -r 2.6.6; fi
WARNING: Couldn't open directory
/var/tmp/kernel-2.6.6-root/lib/modules/2.6.6: Permission denied
FATAL: Could not open
/var/tmp/kernel-2.6.6-root/lib/modules/2.6.6/modules.dep.temp for
writing: Permission denied
make[1]: *** [_modinst_post] Error 1
error: Bad exit status from /var/tmp/rpm-tmp.11877 (%install)
Steve suggested adding tmp_domain(depmod), that will allow search access to
tmp_t, however I expect that /var/tmp/kernel-2.6.6-root/lib/modules/2.6.6
will have type sysadm_tmp_t so something like the following will probably do
better:
allow depmod_t tmp_t:dir search;
rw_dir_create_file(depmod_t, sysadm_tmp_t)
But the ideal solution (IMHO) would be to build kernels as non-root and
non-sysadm_t. There is no reason why compiling a kernel should require
administrative access, if it won't compile as a regular user then that's a
bug and should be filed in bugzilla. user_t and staff_t can execute
depmod_exec_t without a domain transition and won't have any problems in this
regard.
audit(1085609097.359:0): avc: denied { search } for pid=17414
exe=/sbin/depmod name=tmp dev=hda2 ino=196228
scontext=root:sysadm_r:depmod_t tcontext=system_u:object_r:tmp_t
tclass=dir
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page