[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: A lot of AVC messages running "make install" from the kernel source dir.

From: Daniel J Walsh <dwalsh redhat com>
To: "Fedora SELinux support list for users & developers." <fedora-selinux-list redhat com>
Subject: Re: A lot of AVC messages running "make install" from the kernel source dir.
Date: Wed, 14 Apr 2004 21:16:23 -0400

Aleksey Nogin wrote:

If I install the kernel-source package and build a custom kernel, then
at "make install" I see:
rm: ??????? ??????? ??????????: Permission denied rm: ??????? ??????? ??????????: Permission denied rm: remove.c:378: AD_pop_and_chdir: Assertion `AD_stack_height (ds)' failed. /sbin/mkinitrd: line 678: 11649 Aborted rm -rf $MNTIMAGE $MNTPOINT $IMAGE grubby: error moving /boot/grub/grub.conf- to /boot/grub/grub.conf: Permission denied
And I see a huge number of AVC messages. Some of them are obviously a
bug (the grub.conf- should be created as bootloader_t, not as etc_t),
and for others I am not sure what would be the right thing to do.
audit(1081938574.814:0): avc:  denied  { search } for  pid=11483
exe=/bin/bash name=src dev=hda2 ino=4627617
scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:src_t
tclass=dir
audit(1081938574.816:0): avc:  denied  { search } for  pid=11484
exe=/bin/bash name=linux-2.6.5-1.319 dev=hda2 ino=4627658
scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:src_t
tclass=dir

In certain cases it is helpful to just run these avc messages through audit2allow All these messages basically came down to a couple of rules that have been added to the laste policy.

A couple of tricks you might want to try

audit2allow -l -i /var/log/messages

Will output all rules for messages since the last time you ran a make load.

You can then take the output from this command and output it do the misc subdirectory under policy audit2allow -l -i /var/log/messages > /etc/security/selinux/src/policy/domain/misc/later.te

Then do a make load to see if the policy compiles. If it does see if this fixes you problem. You have written your first policy.

In alot of cases the rules that are generated by audit2allow will be disallowed do to the assert.te and constraints.te. For example you will not be allowed to write files in the /etc/ directory. You should look at how other programs handle this, usually though file_type_domain_trans.

Dan

Follow-Ups:
- Re: A lot of AVC messages running "make install" from the kernel source dir.
  - From: Aleksey Nogin

References:
- A lot of AVC messages running "make install" from the kernel source dir.
  - From: Aleksey Nogin

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]