The warnings seem to be caused by 'rpm' not assigning the proper contexts to 'installed' files.
The 'FATAL' message from 'mkinitrd' seems to be due to a problem with 'ulimit' defaults.
A workaround until fixed, install/update kernel only in permissive mode, and make sure you do a 'ulimit -l unlimited' before running 'yum' (so you'll enter 'setenforce 0; ulimit -l unlimited'). I think you'll still get the warnings, but the command will succeed without the fatal error. After the yum 'succeeds', you probably will need to correct the context labels for the kernel files. Easiest way to do that is to run FC=/etc/selinux/strict/contexts/files/file_contexts setfiles -v $FC /lib/modules/2.6.6-1.427 setfiles -v $FC /boot BEFORE you reboot, or to reboot single-user, permissive mode (by adding 'single enforcing=0' to the boot params) and then running 'fixfiles relabel'. Then you can reboot multi-user as usual.
If you've updated more than just the kernel package, you probably want to do the 'boot single-user/permissive, run fixfiles' path.
tom
-------------------------------------- * From: Richard Hally <rhallyx mindspring com> * To: fedora-selinux-list redhat com * Subject: avc denied from kernel 427 update * Date: Sun, 13 Jun 2004 02:29:05 -0400
Below a few of the over 100 warning and error messages from doing yum update today.(6/12/04) Of the ones that didn't scroll off, they are all about the 427/build directory tree. This is in enforcing mode using the most recent strict policy that existed before todays update to selinux-policy-strict-sources-1.13.4-5. The avc denied messages are further below. HTH Richard Hally
----------------------------------------------------------------------------------------------------- from yum update: ... WARNING: Couldn't stat /lib/modules/2.6.6-1.427/build/.config: Permission denied WARNING: Couldn't stat /lib/modules/2.6.6-1.427/build/init/Makefile: Permission denied WARNING: Couldn't stat /lib/modules/2.6.6-1.427/build/init/Kconfig: Permission denied FATAL: Could not open /lib/modules/2.6.6-1.427/modules.dep.temp for writing: Permission denied /bin/bash: /root/.bashrc: Permission denied No dep file found for kernel 2.6.6-1.427 mkinitrd failed
------------------------------------------------------------------- And here are some of the avc denied messages
Jun 12 19:27:20 new2 kernel: audit(1087082831.128:0): avc: denied { getattr } for pid=5774 exe=/sbin/depmod path=/lib/modules/2.6.6-1.427/build/net/ipv4/Kconfig dev=hda2 ino=543312 scontext=root:sysadm_r:depmod_t tcontext=system_u:object_r:lib_t tclass=file Jun 12 19:27:20 new2 kernel: audit(1087082831.142:0): avc: denied { getattr } for pid=5774 exe=/sbin/depmod path=/lib/modules/2.6.6-1.427/build/.config dev=hda2 ino=525543 scontext=root:sysadm_r:depmod_t tcontext=system_u:object_r:lib_t tclass=file Jun 12 19:27:20 new2 kernel: audit(1087082831.142:0): avc: denied { getattr } for pid=5774 exe=/sbin/depmod path=/lib/modules/2.6.6-1.427/build/init/Makefile dev=hda2 ino=525592 scontext=root:sysadm_r:depmod_t tcontext=system_u:object_r:lib_t tclass=file Jun 12 19:27:20 new2 kernel: audit(1087082831.142:0): avc: denied { getattr } for pid=5774 exe=/sbin/depmod path=/lib/modules/2.6.6-1.427/build/init/Kconfig dev=hda2 ino=525591 scontext=root:sysadm_r:depmod_t tcontext=system_u:object_r:lib_t tclass=file Jun 12 19:27:20 new2 kernel: audit(1087082831.142:0): avc: denied { write } for pid=5774 exe=/sbin/depmod name=2.6.6-1.427 dev=hda2 ino=525541 scontext=root:sysadm_r:depmod_t tcontext=system_u:object_r:lib_t tclass=dir
[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]
Copyright © 2004 Red Hat, Inc. All rights reserved. Search by Google Privacy Policy : Careers at Red Hat : Legal statement : Patent promise : Contact Red Hat Log in to Your Account
Tom London wrote:
The warnings seem to be caused by 'rpm' not assigning the proper contexts to 'installed' files.
The 'FATAL' message from 'mkinitrd' seems to be due to a problem with 'ulimit' defaults.
A workaround until fixed, install/update kernel only in permissive mode, and make sure you do a 'ulimit -l unlimited' before running 'yum' (so you'll enter 'setenforce 0; ulimit -l unlimited'). I think you'll still get the warnings, but the command will succeed without the fatal error.
<snip>
* From: Richard Hally <rhallyx mindspring com> * To: fedora-selinux-list redhat com * Subject: avc denied from kernel 427 update * Date: Sun, 13 Jun 2004 02:29:05 -0400
Below a few of the over 100 warning and error messages from doing yum update today.(6/12/04) Of the ones that didn't scroll off, they are all about the 427/build directory tree. This is in enforcing mode using the most recent strict policy that existed before todays update to selinux-policy-strict-sources-1.13.4-5. The avc denied messages are further below. HTH Richard Hally
<snip> Thanks for the reminders about ulimit and resetting file contexts after an update of policy.
My simplistic approach is: setenforce 0 rpm -e kernel-2.6.6-1.427 ulimit -l unlimited yum install kernel reboot single enforcing=0 (with the 422 kernel, the 427 kernel is FUBAR)
fixfiles relabel rpm -e kernel-2.6.6-1.427 ! Richard Hally
selinux@lists.fedoraproject.org