install of kernel-2.6.7-1.492: mkinitrd fails in strict/enforcing .......

Stephen Smalley sds at epoch.ncsc.mil
Fri Jul 16 17:49:24 UTC 2004


On Fri, 2004-07-16 at 12:44, Tom London wrote:
> 'yum update' for the kernel-2.6.7-1.492 doesn't work
> (strict/enforcing mode, selinux-policy-strict-1.15.5-2):
> 
>     kernel 100 % done 18/47
>     /bin/bash: /root/.bashrc: Permission denied
>     /lib/modules/2.6.7-1.492 is not a directory.
>     mkinitrd failed
>     /
> 
> [I checked, and no initrd-2.6.7-1.492.img in /boot]
> 
> I found this message in /var/log/messages:
>     Jul 16 07:52:15 fedora kernel: audit(1089989535.207:0): avc:  
> denied  { getattr } for  pid=3420 exe=/bin/bash 
> path=/lib/modules/2.6.7-1.492 dev=hda2 ino=3671053 
> scontext=root:sysadm_r:bootloader_t 
> tcontext=system_u:object_r:modules_object_t tclass=dir
> 
> I set 'strict/permissive', did 'rpm -e kernel-2.6.7-1.492'
> and did the 'yum update' again and got:
>     Dependencies resolved
>     I will do the following:
>     [install: kernel 2.6.7-1.492.i686]
>     Is this ok [y/N]: y
>     Downloading Packages
>     Running test transaction:
>     WARNING: Multiple same specifications for /halt.
>     WARNING: Multiple same specifications for /\.autofsck.
>     Test transaction complete, Success!
>     WARNING: Multiple same specifications for /halt.
>     WARNING: Multiple same specifications for /\.autofsck.
>     kernel 100 % done 1/1
>     /
>     Kernel Updated/Installed, checking for bootloader
>     Grub found - making this kernel the default
>     Installed:  kernel 2.6.7-1.492.i686
>     Transaction(s) Complete
> 
> Something change?

Yes, I think that a cleanup patch from Russell removed an overly general
rule from bootloader.te that was giving it getattr permission to all
file types, the diff was:

@@ -102,7 +104,8 @@
  
 allow bootloader_t self:capability { fsetid sys_rawio sys_admin mknod chown }; # allow bootloader to get attributes of any device node
-allow bootloader_t file_type:dir_file_class_set getattr;
+allow bootloader_t { device_type ttyfile }:chr_file getattr;
+allow bootloader_t device_type:blk_file getattr;
 dontaudit bootloader_t devpts_t:dir create_dir_perms;
  
 allow bootloader_t self:process { fork signal_perms };

To fix, I'd suggest adding getattr to any allow rule where read
permission is granted in bootloader.te, or replacing uses of "read" with
the r_file_perms macro.

-- 
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency




More information about the selinux mailing list