kernel fails to install
Daniel J Walsh
dwalsh at redhat.com
Wed Dec 1 16:08:31 UTC 2004
Tom London wrote:
>Running strict/enforcing off of Rawhide.
>
>Doing yesterday's updates, the kernel failed to
>install to /boot. That is, no files installed
>under /boot, but worked OK installing
>files to /lib/modules.
>
>I did an rpm -e, setenforce 0; rpm -ivh, and got
>the following:
>w
>Nov 30 19:36:32 fedora kernel: audit(1101872192.328:0): avc: denied
>{ read } for pid=3647 exe=/bin/bash name=.bashrc dev=hda2 ino=1196086
>scontext=root:sysadm_r:bootloader_t
>tcontext=root:object_r:staff_home_t tclass=file
>Nov 30 19:36:32 fedora kernel: audit(1101872192.328:0): avc: denied
>{ getattr } for pid=3647 exe=/bin/bash path=/root/.bashrc dev=hda2
>ino=1196086 scontext=root:sysadm_r:bootloader_t
>tcontext=root:object_r:staff_home_t tclass=file
>Nov 30 19:36:32 fedora kernel: audit(1101872192.337:0): avc: denied
>{ read } for pid=3649 exe=/usr/bin/id name=config dev=hda2
>ino=4509759 scontext=root:sysadm_r:bootloader_t
>tcontext=system_u:object_r:selinux_config_t tclass=file
>Nov 30 19:36:32 fedora kernel: audit(1101872192.338:0): avc: denied
>{ getattr } for pid=3649 exe=/usr/bin/id path=/etc/selinux/config
>dev=hda2 ino=4509759 scontext=root:sysadm_r:bootloader_t
>tcontext=system_u:object_r:selinux_config_t tclass=file
>Nov 30 19:36:32 fedora kernel: audit(1101872192.501:0): avc: denied
>{ execute } for pid=3647 exe=/bin/bash name=colorls.sh dev=hda2
>ino=4474159 scontext=root:sysadm_r:bootloader_t
>tcontext=system_u:object_r:etc_t tclass=file
>Nov 30 19:36:32 fedora kernel: audit(1101872192.530:0): avc: denied
>{ execute } for pid=3662 exe=/bin/bash name=consoletype dev=hda2
>ino=2310212 scontext=root:sysadm_r:bootloader_t
>tcontext=system_u:object_r:consoletype_exec_t tclass=file
>Nov 30 19:36:32 fedora kernel: audit(1101872192.530:0): avc: denied
>{ execute_no_trans } for pid=3662 exe=/bin/bash
>path=/sbin/consoletype dev=hda2 ino=2310212
>scontext=root:sysadm_r:bootloader_t
>tcontext=system_u:object_r:consoletype_exec_t tclass=file
>Nov 30 19:36:32 fedora kernel: audit(1101872192.530:0): avc: denied
>{ read } for pid=3662 exe=/bin/bash path=/sbin/consoletype dev=hda2
>ino=2310212 scontext=root:sysadm_r:bootloader_t
>tcontext=system_u:object_r:consoletype_exec_t tclass=file
>
>allow bootloader_t consoletype_exec_t:file { execute execute_no_trans read };
>allow bootloader_t etc_t:file execute;
>allow bootloader_t selinux_config_t:file { getattr read };
>allow bootloader_t staff_home_t:file { getattr read };
>
>
>
>
Can you try selinux-policy-strict-1.19.8-4 out on my
ftp://people.redhat.com/dwalsh/SELinux/Fedora
I added can_exec_any(bootloader_t) which should allow it to run
consoletype. Not sure what the
etc_t:file execute is about, the others are just because you are running
under permissive mode.
Dan
More information about the fedora-selinux-list
mailing list