On Thu, 2004-05-27 at 14:45, Stephen Smalley wrote:
> On Thu, 2004-05-27 at 04:39, Matthew East wrote:
> > I cannot build and install a kernel with selinux enabled. Here is what
> > happens towards the end of the modules_install stage:
>
> > if [ -r System.map ]; then /sbin/depmod -ae -F System.map -b
> > /var/tmp/kernel-2.6.6-root -r 2.6.6; fi
> > WARNING: Couldn't open directory
> > /var/tmp/kernel-2.6.6-root/lib/modules/2.6.6: Permission denied
> > FATAL: Could not open
> > /var/tmp/kernel-2.6.6-root/lib/modules/2.6.6/modules.dep.temp for
> > writing: Permission denied
> > make[1]: *** [_modinst_post] Error 1
> > error: Bad exit status from /var/tmp/rpm-tmp.11877 (%install)
>
> Add 'tmp_domain(depmod)' to
> /etc/security/selinux/src/policy/domains/program/modutils.te and do a
> 'make load' in /etc/security/selinux/src/policy. yum install
> policy-sources if you don't already have it.
Ok will try this.
> > p.s. Just for the record, or in case they are useful, here are the error
> > messages I get when booting my new kernel which was compiled with
> > selinux set to permissive.
> >
> > Freeing unused kernel memory: 160k freed
> > security: 5 users, 7 roles, 1244 types, 1 bools
> > security: 30 classes, 303377 rules
> > SELinux: Completing initialization.
> > SELinux: Setting up existing superblocks.
> > SELinux: initialized (dev , type selinuxfs), uses genfs_contexts
> > SELinux: initialized (dev hda2, type ext3), uses xattr
> > audit(1085619351.268:0): avc: denied { ioctl } for pid=164
> > exe=/bin/bash path=/dev/null dev=hda2 ino=283937
> > scontext=system_u:system_r:kernel_t
> > tcontext=system_u:object_r:unlabeled_t tclass=chr_file
> > audit(1085619351.271:0): avc: denied { getattr } for pid=176
> > exe=/bin/bash path=/etc/hotplug dev=hda2 ino=49185
> > scontext=system_u:system_r:kernel_t
> > tcontext=system_u:object_r:unlabeled_t tclass=dir
>
> Very odd; these certainly shouldn't be unlabeled_t. What does a
> getfilecon /etc/hotplug (or any of these files that are showing up with
> unlabeled_t) show?
I'm afraid I've removed the custom kernel so I can't tell you. I assumed
that the reason was that I'd compiled and installed the kernel with
selinux as permissive. In any case, under my current setup with the
fedora default kernel:
[matt@localhost matt]$ getfilecon /etc/hotplug
/etc/hotplug system_u:object_r:hotplug_etc_t
To be honest my system is a bit strange at the moment, and I've put
selinux back in permissive mode, as I keep finding strange things that I
can't do with it in enforcing mode with no error messages (e.g.
Openoffice.org doesn't open and I can't do a "glxgears" - weird huh?!)
So it's probably that I've done something wrong. The installation of
fedora was of test 2 and I've been updating it until Core 2. So maybe a
clean install would be a good idea.
Thanks very much for all your help.
