117785 – "rpm -ivh" of kernel rpm fails to create mkinitrd due to multiple avc denials

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 117785 - "rpm -ivh" of kernel rpm fails to create mkinitrd due to multiple avc denials

Summary: "rpm -ivh" of kernel rpm fails to create mkinitrd due to multiple avc denials

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	policy
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	FC2Blocker
TreeView+	depends on / blocked

Reported:	2004-03-08 15:58 UTC by Stephen Tweedie
Modified:	2007-11-30 22:10 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2004-04-07 02:06:15 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
kernel log of avc errors during attempted kernel rpm install (deleted) 2004-03-08 15:59 UTC, Stephen Tweedie	no flags	Details
View All

Description Stephen Tweedie 2004-03-08 15:58:03 UTC

Description of problem:
Trying to install a kernel rpm results in massive failure to create
the initrd.

Version-Release number of selected component (if applicable):
rawhide-20040305 with newer policy
policy-1.7-8
rpm-4.3-0.17
mkinitrd-3.5.19-1

How reproducible:
100%

Steps to Reproduce:
1. "rpm -ivh kernel-*.rpm" with enforcing=1
  
Actual results:

# rpm -ivh kernel-2.6.3-2.1.242.i686.rpm
error: failed to stat /home: Permission denied
Preparing...               
########################################### [100%]
   1:kernel                
########################################### [100%]
id: write error: Permission denied
id: write error: Permission denied
id: write error: Permission denied
/bin/bash: line 12: [: too many arguments
uname: write error: Permission denied
/sbin/new-kernel-pkg: line 32: [: =: unary operator expected
/sbin/new-kernel-pkg: line 37: [: too many arguments
/sbin/new-kernel-pkg: line 45: [: too many arguments
/sbin/new-kernel-pkg: line 51: [: too many arguments
uname: write error: Permission denied
/sbin/new-kernel-pkg: line 297: [: =: unary operator expected
id: write error: Permission denied
id: write error: Permission denied
id: write error: Permission denied
/bin/bash: line 12: [: too many arguments
uname: write error: Permission denied
/sbin/mkinitrd: line 42: [: =: unary operator expected
cut: -: Permission denied
awk: cmd. line:2: fatal: can't stat fd 0 (Permission denied)
cut: -: Permission denied
/sbin/mkinitrd: line 92: [: =: unary operator expected
egrep: fstat: Permission denied
awk: cmd. line:2: fatal: can't stat fd 0 (Permission denied)
awk: cmd. line:2: fatal: can't stat fd 0 (Permission denied)
awk: cmd. line:2: fatal: can't stat fd 0 (Permission denied)
No module -ide-disk found for kernel 2.6.3-2.1.242, aborting.
mkinitrd failed
(install then hangs until ^C)
error: %post(kernel-2.6.3-2.1.242) scriptlet failed, exit status 0
sults:


Expected results:
Correct install of rpm and creation of initrd.

Additional info:
AVC error log, attached.

Comment 1 Stephen Tweedie 2004-03-08 15:59:34 UTC

Created attachment 98371 [details]
kernel log of avc errors during attempted kernel rpm install

Comment 2 Daniel Walsh 2004-03-08 20:52:54 UTC

Put some fixes in -10 that should fix these problems.

Dan

Comment 3 Stephen Tweedie 2004-03-08 22:27:48 UTC

Is it built anywhere?  I can't see it on the build system yet.

Comment 4 Daniel Walsh 2004-03-18 05:09:12 UTC

Fixed in policy-1.9-1

Comment 5 Ben Levenson 2004-03-23 23:48:45 UTC

kernel install w/ policy-1.9-12. looks much better:
# rpm -ivh ../i686/kernel-2.6.4-1.286.i686.rpm
Preparing...               
########################################### [100%]
   1:kernel                
########################################### [100%]
WARNING: /lib/modules/2.6.4-1.286/kernel/drivers/char/crash.ko needs
unknown symbol page_is_ram
/bin/bash: /root/.bashrc: Permission denied

avc denials (enforcing on):
avc:  denied  { search } for  pid=24907 exe=/bin/bash name=root
dev=hda2 ino=392449 scontext=root:sysadm_r:bootloader_t
tcontext=root:object_r:staff_home_dir_t tclass=dir
SELinux: initialized (dev loop0, type ext2), uses xattr

avc:  denied  { search } for  pid=25086 exe=/sbin/grubby name=root
dev=hda2 ino=392449 scontext=root:sysadm_r:bootloader_t
tcontext=root:object_r:staff_home_dir_t tclass=dir

Comment 6 Daniel Walsh 2004-04-07 02:06:15 UTC

Fixed in latest policy.  This is not audited.

Note You need to log in before you can comment on or make changes to this bug.