Permission denied when building kernel

Russell Coker russell at coker.com.au
Mon May 31 10:06:43 UTC 2004


On Thu, 27 May 2004 18:39, Matthew East <matthew.east at iue.it> wrote:
> I cannot build and install a kernel with selinux enabled. Here is what
> happens towards the end of the modules_install stage:
>
> if [ -r System.map ]; then /sbin/depmod -ae -F System.map -b
> /var/tmp/kernel-2.6.6-root -r 2.6.6; fi
> WARNING: Couldn't open directory
> /var/tmp/kernel-2.6.6-root/lib/modules/2.6.6: Permission denied
> FATAL: Could not open
> /var/tmp/kernel-2.6.6-root/lib/modules/2.6.6/modules.dep.temp for
> writing: Permission denied
> make[1]: *** [_modinst_post] Error 1
> error: Bad exit status from /var/tmp/rpm-tmp.11877 (%install)

Steve suggested adding tmp_domain(depmod), that will allow search access to 
tmp_t, however I expect that /var/tmp/kernel-2.6.6-root/lib/modules/2.6.6 
will have type sysadm_tmp_t so something like the following will probably do 
better:
allow depmod_t tmp_t:dir search;
rw_dir_create_file(depmod_t, sysadm_tmp_t)

But the ideal solution (IMHO) would be to build kernels as non-root and 
non-sysadm_t.  There is no reason why compiling a kernel should require 
administrative access, if it won't compile as a regular user then that's a 
bug and should be filed in bugzilla.  user_t and staff_t can execute 
depmod_exec_t without a domain transition and won't have any problems in this 
regard.

> audit(1085609097.359:0): avc:  denied  { search } for  pid=17414
> exe=/sbin/depmod name=tmp dev=hda2 ino=196228
> scontext=root:sysadm_r:depmod_t tcontext=system_u:object_r:tmp_t
> tclass=dir

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page



More information about the fedora-selinux-list mailing list