kernel fails to install

[Daniel J Walsh]

Tom London wrote:

>Running strict/enforcing off of Rawhide.
>
>Doing yesterday's updates, the kernel failed to 
>install to /boot.  That is, no files installed
>under /boot, but worked OK installing
>files to /lib/modules.
>
>I did an rpm -e, setenforce 0; rpm -ivh, and got
>the following:
>w
>Nov 30 19:36:32 fedora kernel: audit(1101872192.328:0): avc:  denied 
>{ read } for  pid=3647 exe=/bin/bash name=.bashrc dev=hda2 ino=1196086
>scontext=root:sysadm_r:bootloader_t
>tcontext=root:object_r:staff_home_t tclass=file
>Nov 30 19:36:32 fedora kernel: audit(1101872192.328:0): avc:  denied 
>{ getattr } for  pid=3647 exe=/bin/bash path=/root/.bashrc dev=hda2
>ino=1196086 scontext=root:sysadm_r:bootloader_t
>tcontext=root:object_r:staff_home_t tclass=file
>Nov 30 19:36:32 fedora kernel: audit(1101872192.337:0): avc:  denied 
>{ read } for  pid=3649 exe=/usr/bin/id name=config dev=hda2
>ino=4509759 scontext=root:sysadm_r:bootloader_t
>tcontext=system_u:object_r:selinux_config_t tclass=file
>Nov 30 19:36:32 fedora kernel: audit(1101872192.338:0): avc:  denied 
>{ getattr } for  pid=3649 exe=/usr/bin/id path=/etc/selinux/config
>dev=hda2 ino=4509759 scontext=root:sysadm_r:bootloader_t
>tcontext=system_u:object_r:selinux_config_t tclass=file
>Nov 30 19:36:32 fedora kernel: audit(1101872192.501:0): avc:  denied 
>{ execute } for  pid=3647 exe=/bin/bash name=colorls.sh dev=hda2
>ino=4474159 scontext=root:sysadm_r:bootloader_t
>tcontext=system_u:object_r:etc_t tclass=file
>Nov 30 19:36:32 fedora kernel: audit(1101872192.530:0): avc:  denied 
>{ execute } for  pid=3662 exe=/bin/bash name=consoletype dev=hda2
>ino=2310212 scontext=root:sysadm_r:bootloader_t
>tcontext=system_u:object_r:consoletype_exec_t tclass=file
>Nov 30 19:36:32 fedora kernel: audit(1101872192.530:0): avc:  denied 
>{ execute_no_trans } for  pid=3662 exe=/bin/bash
>path=/sbin/consoletype dev=hda2 ino=2310212
>scontext=root:sysadm_r:bootloader_t
>tcontext=system_u:object_r:consoletype_exec_t tclass=file
>Nov 30 19:36:32 fedora kernel: audit(1101872192.530:0): avc:  denied 
>{ read } for  pid=3662 exe=/bin/bash path=/sbin/consoletype dev=hda2
>ino=2310212 scontext=root:sysadm_r:bootloader_t
>tcontext=system_u:object_r:consoletype_exec_t tclass=file
>
>allow bootloader_t consoletype_exec_t:file { execute execute_no_trans read };
>allow bootloader_t etc_t:file execute;
>allow bootloader_t selinux_config_t:file { getattr read };
>allow bootloader_t staff_home_t:file { getattr read };
>
>
>  
>
Can you try selinux-policy-strict-1.19.8-4 out on my

ftp://people.redhat.com/dwalsh/SELinux/Fedora

I added can_exec_any(bootloader_t) which should allow it to run 
consoletype.  Not sure what the
etc_t:file execute is about, the others are just because you are running 
under permissive mode.

Dan