mkinitrd problems - 2 slightly different ones...

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Tue Apr 20 02:50:30 UTC 2004 

Running the fedora-devel code as of 0419.. hitting some issues
with installing a new kernel due to mkinitrd failing.

System has 1 disk, using LVM for the root filesystem - the bigger error seems
to be LVM-specific (looks  like bootloader_t needs to be able to do stuff
with lvm_exec_t and lvm_etc_t).

First, a quick example of shooting yourself in the foot:

# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10                                                                     
(wheel) context=root:sysadm_r:sysadm_t

# /sbin/mkinitrd -v /boot/initrd-2.6.5-1.327.img 2.6.5-1.327
Looking for deps of module ide-disk     
/sbin/mkinitrd: line 1: /bin/ls: Permission denied
Looking for deps of module ext3  jbd
Looking for deps of module jbd  
Looking for deps of module dm-mod       
Using modules:  ./kernel/fs/jbd/jbd.ko ./kernel/fs/ext3/ext3.ko ./kernel/drivers/md/dm-mod.ko
Using loopback device /dev/loop0
rm: cannot get current directory: Permission denied
/sbin/nash -> /tmp/initrd.Y15570/bin/nash
/sbin/insmod.static -> /tmp/initrd.Y15570/bin/insmod
copy from /lib/modules/2.6.5-1.327/./kernel/fs/jbd/jbd.ko(elf32-i386) to /tmp/initrd.Y15570/lib/jbd.ko(elf32-i386)
copy from /lib/modules/2.6.5-1.327/./kernel/fs/ext3/ext3.ko(elf32-i386) to /tmp/initrd.Y15570/lib/ext3.ko(elf32-i386)
copy from /lib/modules/2.6.5-1.327/./kernel/drivers/md/dm-mod.ko(elf32-i386) to /tmp/initrd.Y15570/lib/dm-mod.ko(elf32-i386)
/sbin/lvm.static -> /tmp/initrd.Y15570/bin/lvm
cp: cannot open `/sbin/lvm.static' for reading: Permission denied
/etc/lvm -> /tmp/initrd.Y15570/etc/lvm
`/etc/lvm/lvm.conf' -> `/tmp/initrd.Y15570/etc/lvm/lvm.conf'
cp: cannot open `/etc/lvm/lvm.conf' for reading: Permission denied
Loading module jbd
Loading module ext3
Loading module dm-mod
rm: cannot get current directory: Permission denied
rm: remove.c:378: AD_pop_and_chdir: Assertion `AD_stack_height (ds)' failed.
/sbin/mkinitrd: line 678: 15649 Aborted                 rm -rf $MNTIMAGE $MNTPOINT $IMAGE
#

Ouch. Gotta love that final 'rm' error. :)

How did I cause that?  I was stupidly still cd'ed into /etc/security/selinux/src/policy at the time. ;)

Got *tons* of these:

Apr 19 22:31:27 orange kernel: audit(1082428287.917:0): avc:  denied  { search } for  pid=15434 exe=/bin/bash name=policy dev=dm-0 ino=85034 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:policy_src_t tclass=dir

and here's the one that killed the rm command, I think:

Apr 19 22:31:28 orange kernel: audit(1082428288.257:0): avc:  denied  { search } for  pid=15649 exe=/bin/rm name=policy dev=dm-0 ino=85034 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:policy_src_t tclass=dir

(total of 88 failed 'search' - odd part is that I did NOT have '.' in my $PATH).

OK, so take 2 - this gets rid of the 88 failed search requests:

# cd /
#  /sbin/mkinitrd -v /boot/initrd-2.6.5-1.327.img 2.6.5-1.327
Looking for deps of module ide-disk     
/sbin/mkinitrd: line 1: /bin/ls: Permission denied
Looking for deps of module ext3  jbd
Looking for deps of module jbd  
Looking for deps of module dm-mod       
Using modules:  ./kernel/fs/jbd/jbd.ko ./kernel/fs/ext3/ext3.ko ./kernel/drivers/md/dm-mod.ko
Using loopback device /dev/loop0
/sbin/nash -> /tmp/initrd.f15792/bin/nash
/sbin/insmod.static -> /tmp/initrd.f15792/bin/insmod
copy from /lib/modules/2.6.5-1.327/./kernel/fs/jbd/jbd.ko(elf32-i386) to /tmp/initrd.f15792/lib/jbd.ko(elf32-i386)
copy from /lib/modules/2.6.5-1.327/./kernel/fs/ext3/ext3.ko(elf32-i386) to /tmp/initrd.f15792/lib/ext3.ko(elf32-i386)
copy from /lib/modules/2.6.5-1.327/./kernel/drivers/md/dm-mod.ko(elf32-i386) to /tmp/initrd.f15792/lib/dm-mod.ko(elf32-i386)
/sbin/lvm.static -> /tmp/initrd.f15792/bin/lvm
cp: cannot open `/sbin/lvm.static' for reading: Permission denied
/etc/lvm -> /tmp/initrd.f15792/etc/lvm
`/etc/lvm/lvm.conf' -> `/tmp/initrd.f15792/etc/lvm/lvm.conf'
cp: cannot open `/etc/lvm/lvm.conf' for reading: Permission denied
Loading module jbd
Loading module ext3
Loading module dm-mod

A bit better - here's the remaining avc messages:

Apr 19 22:36:44 orange kernel: audit(1082428604.698:0): avc:  denied  { execute } for  pid=15696 exe=/bin/bash name=dmsetup dev=dm-0 ino=65548 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:lvm_exec_t tclass=file
Apr 19 22:36:44 orange kernel: audit(1082428604.698:0): avc:  denied  { read } for  pid=15696 exe=/bin/bash name=dmsetup dev=dm-0 ino=65548 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:lvm_exec_t tclass=file
Apr 19 22:36:44 orange kernel: audit(1082428604.729:0): avc:  denied  { execute } for  pid=15711 exe=/bin/bash name=ls dev=dm-0 ino=16424 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:ls_exec_t tclass=file
Apr 19 22:36:44 orange kernel: audit(1082428604.729:0): avc:  denied  { read } for  pid=15711 exe=/bin/bash name=ls dev=dm-0 ino=16424 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:ls_exec_t tclass=file
Apr 19 22:36:46 orange kernel: SELinux: initialized (dev loop0, type ext2), uses xattr
Apr 19 22:36:47 orange kernel: audit(1082428607.002:0): avc:  denied  { read } for  pid=15834 exe=/bin/cp name=lvm.static dev=dm-0 ino=72206 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:lvm_exec_t tclass=file
Apr 19 22:36:47 orange kernel: audit(1082428607.007:0): avc:  denied  { read } for  pid=15835 exe=/bin/cp name=lvm.conf dev=dm-0 ino=82396 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:lvm_etc_t tclass=file

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20040419/bb60a9a5/attachment.sig>

More information about the fedora-selinux-list mailing list