Permission denied when building kernel
Russell Coker
russell at coker.com.au
Mon May 31 10:06:43 UTC 2004
On Thu, 27 May 2004 18:39, Matthew East <matthew.east at iue.it> wrote:
> I cannot build and install a kernel with selinux enabled. Here is what
> happens towards the end of the modules_install stage:
>
> if [ -r System.map ]; then /sbin/depmod -ae -F System.map -b
> /var/tmp/kernel-2.6.6-root -r 2.6.6; fi
> WARNING: Couldn't open directory
> /var/tmp/kernel-2.6.6-root/lib/modules/2.6.6: Permission denied
> FATAL: Could not open
> /var/tmp/kernel-2.6.6-root/lib/modules/2.6.6/modules.dep.temp for
> writing: Permission denied
> make[1]: *** [_modinst_post] Error 1
> error: Bad exit status from /var/tmp/rpm-tmp.11877 (%install)
Steve suggested adding tmp_domain(depmod), that will allow search access to
tmp_t, however I expect that /var/tmp/kernel-2.6.6-root/lib/modules/2.6.6
will have type sysadm_tmp_t so something like the following will probably do
better:
allow depmod_t tmp_t:dir search;
rw_dir_create_file(depmod_t, sysadm_tmp_t)
But the ideal solution (IMHO) would be to build kernels as non-root and
non-sysadm_t. There is no reason why compiling a kernel should require
administrative access, if it won't compile as a regular user then that's a
bug and should be filed in bugzilla. user_t and staff_t can execute
depmod_exec_t without a domain transition and won't have any problems in this
regard.
> audit(1085609097.359:0): avc: denied { search } for pid=17414
> exe=/sbin/depmod name=tmp dev=hda2 ino=196228
> scontext=root:sysadm_r:depmod_t tcontext=system_u:object_r:tmp_t
> tclass=dir
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
More information about the fedora-selinux-list
mailing list