Permission denied when building kernel

[Stephen Smalley]

On Thu, 2004-05-27 at 04:39, Matthew East wrote:
> I cannot build and install a kernel with selinux enabled. Here is what
> happens towards the end of the modules_install stage:

> if [ -r System.map ]; then /sbin/depmod -ae -F System.map -b
> /var/tmp/kernel-2.6.6-root -r 2.6.6; fi
> WARNING: Couldn't open directory
> /var/tmp/kernel-2.6.6-root/lib/modules/2.6.6: Permission denied
> FATAL: Could not open
> /var/tmp/kernel-2.6.6-root/lib/modules/2.6.6/modules.dep.temp for
> writing: Permission denied
> make[1]: *** [_modinst_post] Error 1
> error: Bad exit status from /var/tmp/rpm-tmp.11877 (%install)

Add 'tmp_domain(depmod)' to
/etc/security/selinux/src/policy/domains/program/modutils.te and do a
'make load' in /etc/security/selinux/src/policy.  yum install
policy-sources if you don't already have it.

> p.s. Just for the record, or in case they are useful, here are the error
> messages I get when booting my new kernel which was compiled with
> selinux set to permissive.
> 
> Freeing unused kernel memory: 160k freed
> security:  5 users, 7 roles, 1244 types, 1 bools
> security:  30 classes, 303377 rules
> SELinux:  Completing initialization.
> SELinux:  Setting up existing superblocks.
> SELinux: initialized (dev , type selinuxfs), uses genfs_contexts
> SELinux: initialized (dev hda2, type ext3), uses xattr
> audit(1085619351.268:0): avc:  denied  { ioctl } for  pid=164
> exe=/bin/bash path=/dev/null dev=hda2 ino=283937
> scontext=system_u:system_r:kernel_t
> tcontext=system_u:object_r:unlabeled_t tclass=chr_file
> audit(1085619351.271:0): avc:  denied  { getattr } for  pid=176
> exe=/bin/bash path=/etc/hotplug dev=hda2 ino=49185
> scontext=system_u:system_r:kernel_t
> tcontext=system_u:object_r:unlabeled_t tclass=dir

Very odd; these certainly shouldn't be unlabeled_t.  What does a
getfilecon /etc/hotplug (or any of these files that are showing up with
unlabeled_t) show?

-- 
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency