selinux policy change yields unbootable initrd
Will Woods
wwoods at redhat.com
Mon Mar 19 20:21:21 UTC 2007
On Mon, 2007-03-19 at 09:09 -0400, Stephen Smalley wrote:
> On Fri, 2007-03-16 at 12:20 -0400, Will Woods wrote:
> > Here's the relevant info, triggered when installing a new kernel
> (which
> > runs mkinitrd):
> >
> > avc: denied { create } for comm="ldconfig" egid=0 euid=0
> > exe="/sbin/ldconfig" exit=-13 fsgid=0 fsuid=0 gid=0 items=0
> > name="ld-linux.so.2" pid=4613 scontext=user_u:system_r:ldconfig_t:s0
> > sgid=0 subj=user_u:system_r:ldconfig_t:s0 suid=0 tclass=lnk_file
> > tcontext=user_u:object_r:rpm_script_tmp_t:s0 tty=(none) uid=0
>
> We shouldn't allow ldconfig to create files with rpm_script_tmp_t
> (private temporary file type for rpm scriptlets), so something is
> wrong here. How is the parent directory created?
It's created by 'mktemp -d' in mkinitrd:
MNTIMAGE=`mktemp -d ${TMPDIR}/initrd.XXXXXX`
[create directory layout in $MNTIMAGE]
mkdir -p $MNTIMAGE/lib/firmware
[copy binaries and libraries into $MNTIMAGE]
/sbin/ldconfig -r "$MNTIMAGE"
This is running as part of the kernel RPM's %post script, so it makes
some sense that the target would have a context of rpm_script_tmp_t.
As you can see, mkinitrd *does* require that ldconfig be able to create
symlinks with rpm_script_tmp_t (or some other tmp_t). Otherwise we end
up with non-bootable initrds, which is what we're seeing in rawhide
right now.
-w
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20070319/3dcdc351/attachment.sig>
More information about the fedora-selinux-list
mailing list