avc denied from kernel 427 update

Sun Jun 13 06:52:53 UTC 2004

The warnings seem to be caused by 'rpm' not assigning the proper 
contexts to 'installed' files.

The 'FATAL' message from 'mkinitrd' seems to be due to a problem with 
'ulimit' defaults.

A workaround until fixed, install/update kernel only in permissive mode, 
and make sure you do a 'ulimit -l unlimited' before running 'yum' (so 
you'll enter 'setenforce 0; ulimit -l unlimited').  I think you'll still 
get the warnings, but the command will succeed without the fatal error. 
After the yum 'succeeds', you probably will need to correct the context 
labels for the kernel files.  Easiest way to do that is to run
	FC=/etc/selinux/strict/contexts/files/file_contexts
	setfiles -v $FC /lib/modules/2.6.6-1.427
	setfiles -v $FC /boot
BEFORE you reboot, or to reboot single-user, permissive mode (by adding 
'single enforcing=0' to the boot params) and then running 'fixfiles 
relabel'. Then you can reboot multi-user as usual.

If you've updated more than just the kernel package, you probably want 
to do the 'boot single-user/permissive, run fixfiles' path.

tom

--------------------------------------
     * From: Richard Hally <rhallyx mindspring com>
     * To: fedora-selinux-list redhat com
     * Subject: avc denied from kernel 427 update
     * Date: Sun, 13 Jun 2004 02:29:05 -0400

Below a few of the over 100 warning and error messages from doing yum 
update today.(6/12/04) Of the ones that didn't scroll off, they are all 
about the 427/build directory tree.
This is in enforcing mode using the most recent strict policy that 
existed before todays update to
selinux-policy-strict-sources-1.13.4-5. The avc denied messages are 
further below.
HTH
Richard Hally

-----------------------------------------------------------------------------------------------------
from yum update:
...
WARNING: Couldn't stat /lib/modules/2.6.6-1.427/build/.config: 
Permission denied
WARNING: Couldn't stat /lib/modules/2.6.6-1.427/build/init/Makefile: 
Permission denied
WARNING: Couldn't stat /lib/modules/2.6.6-1.427/build/init/Kconfig: 
Permission denied
FATAL: Could not open /lib/modules/2.6.6-1.427/modules.dep.temp for 
writing: Permission denied
/bin/bash: /root/.bashrc: Permission denied
No dep file found for kernel 2.6.6-1.427
mkinitrd failed

-------------------------------------------------------------------
And here are some of the avc denied messages

Jun 12 19:27:20 new2 kernel: audit(1087082831.128:0): avc: denied { 
getattr }
for pid=5774 exe=/sbin/depmod 
path=/lib/modules/2.6.6-1.427/build/net/ipv4/Kconfig dev=hda2 ino=543312 
scontext=root:sysadm_r:depmod_t tcontext=system_u:object_r:lib_t tclass=file
Jun 12 19:27:20 new2 kernel: audit(1087082831.142:0): avc: denied { 
getattr }
for pid=5774 exe=/sbin/depmod 
path=/lib/modules/2.6.6-1.427/build/.config dev=hda2 ino=525543 
scontext=root:sysadm_r:depmod_t tcontext=system_u:object_r:lib_t
tclass=file
Jun 12 19:27:20 new2 kernel: audit(1087082831.142:0): avc: denied { 
getattr }
for pid=5774 exe=/sbin/depmod 
path=/lib/modules/2.6.6-1.427/build/init/Makefile dev=hda2 ino=525592 
scontext=root:sysadm_r:depmod_t tcontext=system_u:object_r:lib_t tclass=file
Jun 12 19:27:20 new2 kernel: audit(1087082831.142:0): avc: denied { 
getattr }
for pid=5774 exe=/sbin/depmod 
path=/lib/modules/2.6.6-1.427/build/init/Kconfig
dev=hda2 ino=525591 scontext=root:sysadm_r:depmod_t 
tcontext=system_u:object_r:lib_t tclass=file
Jun 12 19:27:20 new2 kernel: audit(1087082831.142:0): avc: denied { 
write } for pid=5774 exe=/sbin/depmod name=2.6.6-1.427 dev=hda2 
ino=525541 scontext=root:sysadm_r:depmod_t 
tcontext=system_u:object_r:lib_t tclass=dir

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] 
[Date Index] [Author Index] 	