selinux policy change yields unbootable initrd
Stephen Smalley
sds at tycho.nsa.gov
Mon Mar 19 13:09:25 UTC 2007
On Fri, 2007-03-16 at 12:20 -0400, Will Woods wrote:
> (See my other mail on the subject here:
> http://redhat.com/archives/fedora-test-list/2007-March/msg00295.html )
>
> Something in selinux-policy-2.5.8-4.fc7 (and I think -3 as well) is
> denying ldconfig permission to create symlinks in /tmp. mkinitrd uses
> ldconfig to set up the symlinks in the initrd it creates (in a temp dir
> under /tmp), so then nash won't load (missing ld-linux.so.2), so your
> system won't boot.
>
> Here's the relevant info, triggered when installing a new kernel (which
> runs mkinitrd):
>
> avc: denied { create } for comm="ldconfig" egid=0 euid=0
> exe="/sbin/ldconfig" exit=-13 fsgid=0 fsuid=0 gid=0 items=0
> name="ld-linux.so.2" pid=4613 scontext=user_u:system_r:ldconfig_t:s0
> sgid=0 subj=user_u:system_r:ldconfig_t:s0 suid=0 tclass=lnk_file
> tcontext=user_u:object_r:rpm_script_tmp_t:s0 tty=(none) uid=0
We shouldn't allow ldconfig to create files with rpm_script_tmp_t
(private temporary file type for rpm scriptlets), so something is wrong
here. How is the parent directory created?
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list