On Thu, 2004-12-16 at 03:43 -0500, Richard Hally wrote:
> Ralf Corsepius wrote:
> >Trying to create a char-device as ordinary user, results into this:
> ># mknod /var/tmp/bla-1.0.0/etc/udev/devices/bla01 c 212 0
> >mknod: `/var/tmp/bla-1.0.0/etc/udev/devices/bla01': Operation not permitted
> >
> >Any explanation for this behavior?
> >
> >Is it mknod trying to be overly clever or is it an selinux bug (This is
> >on a FC3 system with selinux-policy-targeted)?
> >
> >This issue prevents one from being able to build rpms containing special
> >devices as ordinary users.
> The first thing to look for if you suspect SELinux is acv denied
> messages in /var/log/messages.
None such message.
> Another thing to try is to "setenforce 0"
Tried, it didn't change anything. I also tried on a system booted with
selinux=0.
> and try the command again to see if you get different results.
I fear the culprit is the mknod syscall, i.e. glibc.
stracing show mknod(2) returning EPERM and man 2 mknod says:
EPERM mode requested creation of something other than a regular file, FIFO
(named pipe), or Unix domain socket, and the caller is not the superuser;
=> Building rpms as ordinary user can not work for packages wanting to
provide special files (Typically kernel drivers).
I am stumped - This is pretty severe security issue as far as rpms are
concerned.
Ralf
