On Thu, 27 May 2004 18:39, Matthew East <matthew.east@xxxxxx> wrote: > I cannot build and install a kernel with selinux enabled. Here is what > happens towards the end of the modules_install stage: > > if [ -r System.map ]; then /sbin/depmod -ae -F System.map -b > /var/tmp/kernel-2.6.6-root -r 2.6.6; fi > WARNING: Couldn't open directory > /var/tmp/kernel-2.6.6-root/lib/modules/2.6.6: Permission denied > FATAL: Could not open > /var/tmp/kernel-2.6.6-root/lib/modules/2.6.6/modules.dep.temp for > writing: Permission denied > make[1]: *** [_modinst_post] Error 1 > error: Bad exit status from /var/tmp/rpm-tmp.11877 (%install) Steve suggested adding tmp_domain(depmod), that will allow search access to tmp_t, however I expect that /var/tmp/kernel-2.6.6-root/lib/modules/2.6.6 will have type sysadm_tmp_t so something like the following will probably do better: allow depmod_t tmp_t:dir search; rw_dir_create_file(depmod_t, sysadm_tmp_t) But the ideal solution (IMHO) would be to build kernels as non-root and non-sysadm_t. There is no reason why compiling a kernel should require administrative access, if it won't compile as a regular user then that's a bug and should be filed in bugzilla. user_t and staff_t can execute depmod_exec_t without a domain transition and won't have any problems in this regard. > audit(1085609097.359:0): avc: denied { search } for pid=17414 > exe=/sbin/depmod name=tmp dev=hda2 ino=196228 > scontext=root:sysadm_r:depmod_t tcontext=system_u:object_r:tmp_t > tclass=dir -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page