selinux policy change yields unbootable initrd
Will Woods
wwoods at redhat.com
Fri Mar 16 16:20:01 UTC 2007
(See my other mail on the subject here:
http://redhat.com/archives/fedora-test-list/2007-March/msg00295.html )
Something in selinux-policy-2.5.8-4.fc7 (and I think -3 as well) is
denying ldconfig permission to create symlinks in /tmp. mkinitrd uses
ldconfig to set up the symlinks in the initrd it creates (in a temp dir
under /tmp), so then nash won't load (missing ld-linux.so.2), so your
system won't boot.
Here's the relevant info, triggered when installing a new kernel (which
runs mkinitrd):
avc: denied { create } for comm="ldconfig" egid=0 euid=0
exe="/sbin/ldconfig" exit=-13 fsgid=0 fsuid=0 gid=0 items=0
name="ld-linux.so.2" pid=4613 scontext=user_u:system_r:ldconfig_t:s0
sgid=0 subj=user_u:system_r:ldconfig_t:s0 suid=0 tclass=lnk_file
tcontext=user_u:object_r:rpm_script_tmp_t:s0 tty=(none) uid=0
Hope this helps,
-w
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20070316/c5e0f2e2/attachment.sig>
More information about the fedora-selinux-list
mailing list