mkinitrd problems - 2 slightly different ones...

Colin Walters walters at redhat.com
Tue Apr 20 03:12:29 UTC 2004 

On Mon, 2004-04-19 at 22:50, Valdis.Kletnieks at vt.edu wrote:
> Running the fedora-devel code as of 0419.. hitting some issues
> with installing a new kernel due to mkinitrd failing.
> 
> System has 1 disk, using LVM for the root filesystem - the bigger error seems
> to be LVM-specific (looks  like bootloader_t needs to be able to do stuff
> with lvm_exec_t and lvm_etc_t).

I don't think anyone here has really messed seriously with SELinux and
LVM yet.  Looks like you are the lucky winner :)

> rm: remove.c:378: AD_pop_and_chdir: Assertion `AD_stack_height (ds)' failed.

Nice.  I think many applications were written with the idea that they
would always have permissions to the current working directory.

> How did I cause that?  I was stupidly still cd'ed into /etc/security/selinux/src/policy at the time. ;)

Yeah.

> Apr 19 22:36:44 orange kernel: audit(1082428604.698:0): avc:  denied  { execute } for  pid=15696 exe=/bin/bash name=dmsetup dev=dm-0 ino=65548 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:lvm_exec_t tclass=file
> Apr 19 22:36:44 orange kernel: audit(1082428604.698:0): avc:  denied  { read } for  pid=15696 exe=/bin/bash name=dmsetup dev=dm-0 ino=65548 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:lvm_exec_t tclass=file
> Apr 19 22:36:44 orange kernel: audit(1082428604.729:0): avc:  denied  { execute } for  pid=15711 exe=/bin/bash name=ls dev=dm-0 ino=16424 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:ls_exec_t tclass=file
> Apr 19 22:36:44 orange kernel: audit(1082428604.729:0): avc:  denied  { read } for  pid=15711 exe=/bin/bash name=ls dev=dm-0 ino=16424 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:ls_exec_t tclass=file
> Apr 19 22:36:46 orange kernel: SELinux: initialized (dev loop0, type ext2), uses xattr
> Apr 19 22:36:47 orange kernel: audit(1082428607.002:0): avc:  denied  { read } for  pid=15834 exe=/bin/cp name=lvm.static dev=dm-0 ino=72206 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:lvm_exec_t tclass=file
> Apr 19 22:36:47 orange kernel: audit(1082428607.007:0): avc:  denied  { read } for  pid=15835 exe=/bin/cp name=lvm.conf dev=dm-0 ino=82396 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:lvm_etc_t tclass=file

I added stuff to try to fix this into policy, will be in the next
upload.  Patch attached, let me know if it works for you...

-------------- next part --------------
A non-text attachment was scrubbed...
Name: lvm.patch
Type: text/x-patch
Size: 872 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20040419/96f2628f/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20040419/96f2628f/attachment.sig>

More information about the fedora-selinux-list mailing list