install of kernel-2.6.7-1.492: mkinitrd fails in strict/enforcing .......
Stephen Smalley
sds at epoch.ncsc.mil
Fri Jul 16 17:49:24 UTC 2004
On Fri, 2004-07-16 at 12:44, Tom London wrote:
> 'yum update' for the kernel-2.6.7-1.492 doesn't work
> (strict/enforcing mode, selinux-policy-strict-1.15.5-2):
>
> kernel 100 % done 18/47
> /bin/bash: /root/.bashrc: Permission denied
> /lib/modules/2.6.7-1.492 is not a directory.
> mkinitrd failed
> /
>
> [I checked, and no initrd-2.6.7-1.492.img in /boot]
>
> I found this message in /var/log/messages:
> Jul 16 07:52:15 fedora kernel: audit(1089989535.207:0): avc:
> denied { getattr } for pid=3420 exe=/bin/bash
> path=/lib/modules/2.6.7-1.492 dev=hda2 ino=3671053
> scontext=root:sysadm_r:bootloader_t
> tcontext=system_u:object_r:modules_object_t tclass=dir
>
> I set 'strict/permissive', did 'rpm -e kernel-2.6.7-1.492'
> and did the 'yum update' again and got:
> Dependencies resolved
> I will do the following:
> [install: kernel 2.6.7-1.492.i686]
> Is this ok [y/N]: y
> Downloading Packages
> Running test transaction:
> WARNING: Multiple same specifications for /halt.
> WARNING: Multiple same specifications for /\.autofsck.
> Test transaction complete, Success!
> WARNING: Multiple same specifications for /halt.
> WARNING: Multiple same specifications for /\.autofsck.
> kernel 100 % done 1/1
> /
> Kernel Updated/Installed, checking for bootloader
> Grub found - making this kernel the default
> Installed: kernel 2.6.7-1.492.i686
> Transaction(s) Complete
>
> Something change?
Yes, I think that a cleanup patch from Russell removed an overly general
rule from bootloader.te that was giving it getattr permission to all
file types, the diff was:
@@ -102,7 +104,8 @@
allow bootloader_t self:capability { fsetid sys_rawio sys_admin mknod chown }; # allow bootloader to get attributes of any device node
-allow bootloader_t file_type:dir_file_class_set getattr;
+allow bootloader_t { device_type ttyfile }:chr_file getattr;
+allow bootloader_t device_type:blk_file getattr;
dontaudit bootloader_t devpts_t:dir create_dir_perms;
allow bootloader_t self:process { fork signal_perms };
To fix, I'd suggest adding getattr to any allow rule where read
permission is granted in bootloader.te, or replacing uses of "read" with
the r_file_perms macro.
--
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency
More information about the selinux
mailing list