The kernel update (421) still fails under strict/enforcing mode. The context labels now appear to be in the rpm file, but I'm getting similar messages:
...... lots and lots of WARNING messages like:
WARNING: Couldn't stat /lib/modules/2.6.6-1.421/build/include/asm-i386/ptrace.h: Permission denied
WARNING: Couldn't stat /lib/modules/2.6.6-1.421/build/include/asm-i386/bug.h: Permission denied
WARNING: Couldn't stat /lib/modules/2.6.6-1.421/build/include/asm-i386/serial.h: Permission denied
WARNING: Couldn't stat /lib/modules/2.6.6-1.421/build/mm/Makefile: Permission denied
FATAL: Could not open /lib/modules/2.6.6-1.421/modules.dep.temp for writing: Permission denied
/bin/bash: /root/.bashrc: Permission denied
No dep file found for kernel 2.6.6-1.421
mkinitrd failed
My previous workaround (do 'setenforce 0; yum ....' followed by a relabel) did not work this time. The mkinitrd now fails even under permissive mode:
[root@dell selinux]# setenforce 0
[root@dell selinux]# yum install kernel
Gathering header information file(s) from server(s)
Server: Test Linux 2.6-test prerelease kernels
Server: Fedora Core 2 - i386 - Base
Server: Fedora Core 2 - Development Tree
Server: Fedora Core 2 - i386 - Released Updates
Finding updated packages
Downloading needed headers
Resolving dependencies
Dependencies resolved
I will do the following:
[install: kernel 2.6.6-1.421.i686]
Is this ok [y/N]: y
Downloading Packages
Running test transaction:
Test transaction complete, Success!
kernel 100 % done 1/1
memlock: Cannot allocate memory
Couldn't lock into memory, exiting.
mkinitrd failed
Since the latest kernel's seemed to have auditing off, I can't locate anything interesting in /var/log/messages. (Looks like CONFIG_AUDIT is set to y in 421.)
Since the label now appear correct in the rpm file, could this be something in the policy/context files? Any ideas?
The install of the 1.13.3-2 policy packages seemed to work OK. It left my /etc/selinux/config file untouched. (I guess I should have removed it prior to install.....sorry).
tom
