Running the fedora-devel code as of 0419.. hitting some issues
with installing a new kernel due to mkinitrd failing.
System has 1 disk, using LVM for the root filesystem - the bigger error seems
to be LVM-specific (looks like bootloader_t needs to be able to do stuff
with lvm_exec_t and lvm_etc_t).
First, a quick example of shooting yourself in the foot:
# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10
(wheel) context=root:sysadm_r:sysadm_t
# /sbin/mkinitrd -v /boot/initrd-2.6.5-1.327.img 2.6.5-1.327
Looking for deps of module ide-disk
/sbin/mkinitrd: line 1: /bin/ls: Permission denied
Looking for deps of module ext3 jbd
Looking for deps of module jbd
Looking for deps of module dm-mod
Using modules: ./kernel/fs/jbd/jbd.ko ./kernel/fs/ext3/ext3.ko ./kernel/drivers/md/dm-mod.ko
Using loopback device /dev/loop0
rm: cannot get current directory: Permission denied
/sbin/nash -> /tmp/initrd.Y15570/bin/nash
/sbin/insmod.static -> /tmp/initrd.Y15570/bin/insmod
copy from /lib/modules/2.6.5-1.327/./kernel/fs/jbd/jbd.ko(elf32-i386) to /tmp/initrd.Y15570/lib/jbd.ko(elf32-i386)
copy from /lib/modules/2.6.5-1.327/./kernel/fs/ext3/ext3.ko(elf32-i386) to /tmp/initrd.Y15570/lib/ext3.ko(elf32-i386)
copy from /lib/modules/2.6.5-1.327/./kernel/drivers/md/dm-mod.ko(elf32-i386) to /tmp/initrd.Y15570/lib/dm-mod.ko(elf32-i386)
/sbin/lvm.static -> /tmp/initrd.Y15570/bin/lvm
cp: cannot open `/sbin/lvm.static' for reading: Permission denied
/etc/lvm -> /tmp/initrd.Y15570/etc/lvm
`/etc/lvm/lvm.conf' -> `/tmp/initrd.Y15570/etc/lvm/lvm.conf'
cp: cannot open `/etc/lvm/lvm.conf' for reading: Permission denied
Loading module jbd
Loading module ext3
Loading module dm-mod
rm: cannot get current directory: Permission denied
rm: remove.c:378: AD_pop_and_chdir: Assertion `AD_stack_height (ds)' failed.
/sbin/mkinitrd: line 678: 15649 Aborted rm -rf $MNTIMAGE $MNTPOINT $IMAGE
#
Ouch. Gotta love that final 'rm' error. :)
How did I cause that? I was stupidly still cd'ed into /etc/security/selinux/src/policy at the time. ;)
Got *tons* of these:
Apr 19 22:31:27 orange kernel: audit(1082428287.917:0): avc: denied { search } for pid=15434 exe=/bin/bash name=policy dev=dm-0 ino=85034 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:policy_src_t tclass=dir
and here's the one that killed the rm command, I think:
Apr 19 22:31:28 orange kernel: audit(1082428288.257:0): avc: denied { search } for pid=15649 exe=/bin/rm name=policy dev=dm-0 ino=85034 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:policy_src_t tclass=dir
(total of 88 failed 'search' - odd part is that I did NOT have '.' in my $PATH).
OK, so take 2 - this gets rid of the 88 failed search requests:
# cd /
# /sbin/mkinitrd -v /boot/initrd-2.6.5-1.327.img 2.6.5-1.327
Looking for deps of module ide-disk
/sbin/mkinitrd: line 1: /bin/ls: Permission denied
Looking for deps of module ext3 jbd
Looking for deps of module jbd
Looking for deps of module dm-mod
Using modules: ./kernel/fs/jbd/jbd.ko ./kernel/fs/ext3/ext3.ko ./kernel/drivers/md/dm-mod.ko
Using loopback device /dev/loop0
/sbin/nash -> /tmp/initrd.f15792/bin/nash
/sbin/insmod.static -> /tmp/initrd.f15792/bin/insmod
copy from /lib/modules/2.6.5-1.327/./kernel/fs/jbd/jbd.ko(elf32-i386) to /tmp/initrd.f15792/lib/jbd.ko(elf32-i386)
copy from /lib/modules/2.6.5-1.327/./kernel/fs/ext3/ext3.ko(elf32-i386) to /tmp/initrd.f15792/lib/ext3.ko(elf32-i386)
copy from /lib/modules/2.6.5-1.327/./kernel/drivers/md/dm-mod.ko(elf32-i386) to /tmp/initrd.f15792/lib/dm-mod.ko(elf32-i386)
/sbin/lvm.static -> /tmp/initrd.f15792/bin/lvm
cp: cannot open `/sbin/lvm.static' for reading: Permission denied
/etc/lvm -> /tmp/initrd.f15792/etc/lvm
`/etc/lvm/lvm.conf' -> `/tmp/initrd.f15792/etc/lvm/lvm.conf'
cp: cannot open `/etc/lvm/lvm.conf' for reading: Permission denied
Loading module jbd
Loading module ext3
Loading module dm-mod
A bit better - here's the remaining avc messages:
Apr 19 22:36:44 orange kernel: audit(1082428604.698:0): avc: denied { execute } for pid=15696 exe=/bin/bash name=dmsetup dev=dm-0 ino=65548 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:lvm_exec_t tclass=file
Apr 19 22:36:44 orange kernel: audit(1082428604.698:0): avc: denied { read } for pid=15696 exe=/bin/bash name=dmsetup dev=dm-0 ino=65548 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:lvm_exec_t tclass=file
Apr 19 22:36:44 orange kernel: audit(1082428604.729:0): avc: denied { execute } for pid=15711 exe=/bin/bash name=ls dev=dm-0 ino=16424 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:ls_exec_t tclass=file
Apr 19 22:36:44 orange kernel: audit(1082428604.729:0): avc: denied { read } for pid=15711 exe=/bin/bash name=ls dev=dm-0 ino=16424 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:ls_exec_t tclass=file
Apr 19 22:36:46 orange kernel: SELinux: initialized (dev loop0, type ext2), uses xattr
Apr 19 22:36:47 orange kernel: audit(1082428607.002:0): avc: denied { read } for pid=15834 exe=/bin/cp name=lvm.static dev=dm-0 ino=72206 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:lvm_exec_t tclass=file
Apr 19 22:36:47 orange kernel: audit(1082428607.007:0): avc: denied { read } for pid=15835 exe=/bin/cp name=lvm.conf dev=dm-0 ino=82396 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:lvm_etc_t tclass=file
Attachment:
pgpcl8zPHQlQ8.pgp
Description: PGP signature
