On Mon, 2004-04-19 at 22:50, Valdis Kletnieks vt edu wrote:
> Running the fedora-devel code as of 0419.. hitting some issues
> with installing a new kernel due to mkinitrd failing.
>
> System has 1 disk, using LVM for the root filesystem - the bigger error seems
> to be LVM-specific (looks like bootloader_t needs to be able to do stuff
> with lvm_exec_t and lvm_etc_t).
I don't think anyone here has really messed seriously with SELinux and
LVM yet. Looks like you are the lucky winner :)
> rm: remove.c:378: AD_pop_and_chdir: Assertion `AD_stack_height (ds)' failed.
Nice. I think many applications were written with the idea that they
would always have permissions to the current working directory.
> How did I cause that? I was stupidly still cd'ed into /etc/security/selinux/src/policy at the time. ;)
Yeah.
> Apr 19 22:36:44 orange kernel: audit(1082428604.698:0): avc: denied { execute } for pid=15696 exe=/bin/bash name=dmsetup dev=dm-0 ino=65548 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:lvm_exec_t tclass=file
> Apr 19 22:36:44 orange kernel: audit(1082428604.698:0): avc: denied { read } for pid=15696 exe=/bin/bash name=dmsetup dev=dm-0 ino=65548 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:lvm_exec_t tclass=file
> Apr 19 22:36:44 orange kernel: audit(1082428604.729:0): avc: denied { execute } for pid=15711 exe=/bin/bash name=ls dev=dm-0 ino=16424 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:ls_exec_t tclass=file
> Apr 19 22:36:44 orange kernel: audit(1082428604.729:0): avc: denied { read } for pid=15711 exe=/bin/bash name=ls dev=dm-0 ino=16424 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:ls_exec_t tclass=file
> Apr 19 22:36:46 orange kernel: SELinux: initialized (dev loop0, type ext2), uses xattr
> Apr 19 22:36:47 orange kernel: audit(1082428607.002:0): avc: denied { read } for pid=15834 exe=/bin/cp name=lvm.static dev=dm-0 ino=72206 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:lvm_exec_t tclass=file
> Apr 19 22:36:47 orange kernel: audit(1082428607.007:0): avc: denied { read } for pid=15835 exe=/bin/cp name=lvm.conf dev=dm-0 ino=82396 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:lvm_etc_t tclass=file
I added stuff to try to fix this into policy, will be in the next
upload. Patch attached, let me know if it works for you...
--- policy-1.11.2/domains/program/unused/bootloader.te~ 2004-04-19 23:06:50.739961584 -0400
+++ policy-1.11.2/domains/program/unused/bootloader.te 2004-04-19 23:09:42.182898296 -0400
@@ -50,12 +50,14 @@
# maybe we should change the labeling for this
ifdef(`lvm.te', `
allow bootloader_t fixed_disk_device_t:chr_file rw_file_perms;
+domain_auto_trans(bootloader_t, lvm_exec_t, lvm_t)
+r_dir_file(bootloader_t, lvm_t)
')
# uncomment the following line if you use "lilo -p"
#file_type_auto_trans(bootloader_t, etc_t, bootloader_etc_t, file);
-can_exec(bootloader_t, { bootloader_exec_t shell_exec_t bin_t sbin_t })
+can_exec(bootloader_t, { bootloader_exec_t shell_exec_t ls_exec_t bin_t sbin_t })
allow bootloader_t shell_exec_t:lnk_file read;
allow bootloader_t { bin_t sbin_t }:dir search;
allow bootloader_t { bin_t sbin_t }:lnk_file read;
Attachment:
signature.asc
Description: This is a digitally signed message part