Kernel install errors w/ strict/enforcing

Tom London selinux at comcast.net
Sat Jul 31 17:49:16 UTC 2004


The following started about a week ago
(running rawhide and off of Dan's tree:
 kernel-2.6.7-1.499, selinux-policy-strict-1.15.10-1, ...)

'yum install' for the kernel (.499 and .501) produces the following:
    failed to stat ./build/include/asm: 13 
above message repeated 9 times.

The install appears to be correct.

Here are the avc's from the log:
Jul 31 10:37:35 fedora kernel: audit(1091295455.845:0): avc:  denied  { 
getattr } for  pid=4689 exe=/sbin/nash 
path=/lib/modules/2.6.7-1.501/build/include/asm dev=hda2 ino=3637290 
scontext=root:sysadm_r:bootloader_t 
tcontext=system_u:object_r:modules_object_t tclass=lnk_file
Jul 31 10:37:38 fedora kernel: audit(1091295458.230:0): avc:  denied  { 
getattr } for  pid=4695 exe=/sbin/nash 
path=/lib/modules/2.6.7-1.501/build/include/asm dev=hda2 ino=3637290 
scontext=root:sysadm_r:bootloader_t 
tcontext=system_u:object_r:modules_object_t tclass=lnk_file
Jul 31 10:37:39 fedora kernel: audit(1091295459.276:0): avc:  denied  { 
getattr } for  pid=4701 exe=/sbin/nash 
path=/lib/modules/2.6.7-1.501/build/include/asm dev=hda2 ino=3637290 
scontext=root:sysadm_r:bootloader_t 
tcontext=system_u:object_r:modules_object_t tclass=lnk_file
Jul 31 10:37:39 fedora kernel: audit(1091295459.468:0): avc:  denied  { 
transition } for  pid=4703 exe=/bin/bash path=/sbin/dmsetup dev=hda2 
ino=2310342 scontext=root:sysadm_r:bootloader_t 
tcontext=root:system_r:lvm_t tclass=process
Jul 31 10:37:40 fedora kernel: audit(1091295460.731:0): avc:  denied  { 
getattr } for  pid=4735 exe=/sbin/nash 
path=/lib/modules/2.6.7-1.501/build/include/asm dev=hda2 ino=3637290 
scontext=root:sysadm_r:bootloader_t 
tcontext=system_u:object_r:modules_object_t tclass=lnk_file
Jul 31 10:37:41 fedora kernel: audit(1091295461.268:0): avc:  denied  { 
getattr } for  pid=4739 exe=/sbin/nash 
path=/lib/modules/2.6.7-1.501/build/include/asm dev=hda2 ino=3637290 
scontext=root:sysadm_r:bootloader_t 
tcontext=system_u:object_r:modules_object_t tclass=lnk_file
Jul 31 10:37:41 fedora kernel: audit(1091295461.764:0): avc:  denied  { 
getattr } for  pid=4744 exe=/sbin/nash 
path=/lib/modules/2.6.7-1.501/build/include/asm dev=hda2 ino=3637290 
scontext=root:sysadm_r:bootloader_t 
tcontext=system_u:object_r:modules_object_t tclass=lnk_file
Jul 31 10:37:42 fedora kernel: audit(1091295462.569:0): avc:  denied  { 
getattr } for  pid=4751 exe=/sbin/nash 
path=/lib/modules/2.6.7-1.501/build/include/asm dev=hda2 ino=3637290 
scontext=root:sysadm_r:bootloader_t 
tcontext=system_u:object_r:modules_object_t tclass=lnk_file
Jul 31 10:37:43 fedora kernel: audit(1091295463.091:0): avc:  denied  { 
getattr } for  pid=4756 exe=/sbin/nash 
path=/lib/modules/2.6.7-1.501/build/include/asm dev=hda2 ino=3637290 
scontext=root:sysadm_r:bootloader_t 
tcontext=system_u:object_r:modules_object_t tclass=lnk_file
Jul 31 10:37:43 fedora kernel: audit(1091295463.633:0): avc:  denied  { 
getattr } for  pid=4761 exe=/sbin/nash 
path=/lib/modules/2.6.7-1.501/build/include/asm dev=hda2 ino=3637290 
scontext=root:sysadm_r:bootloader_t 
tcontext=system_u:object_r:modules_object_t tclass=lnk_file

'audit2allow' on the above yields:
    allow bootloader_t lvm_t:process { transition };
    allow bootloader_t modules_object_t:lnk_file { getattr };

Do we need to make this (or some other) change?

thanks
   tom




More information about the selinux mailing list