A lot of AVC messages running "make install" from the kernel source dir.

Daniel J Walsh dwalsh at redhat.com
Thu Apr 15 01:16:23 UTC 2004


Aleksey Nogin wrote:

> If I install the kernel-source package and build a custom kernel, then
> at "make install" I see:
>
> rm: ??????? ??????? ??????????: Permission denied
> rm: ??????? ??????? ??????????: Permission denied
> rm: remove.c:378: AD_pop_and_chdir: Assertion `AD_stack_height (ds)' 
> failed.
> /sbin/mkinitrd: line 678: 11649 Aborted                 rm -rf $MNTIMAGE
> $MNTPOINT $IMAGE
> grubby: error moving /boot/grub/grub.conf- to /boot/grub/grub.conf:
> Permission denied
>
> And I see a huge number of AVC messages. Some of them are obviously a
> bug (the grub.conf- should be created as bootloader_t, not as etc_t),
> and for others I am not sure what would be the right thing to do.
>
> audit(1081938574.814:0): avc:  denied  { search } for  pid=11483
> exe=/bin/bash name=src dev=hda2 ino=4627617
> scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:src_t
> tclass=dir
> audit(1081938574.816:0): avc:  denied  { search } for  pid=11484
> exe=/bin/bash name=linux-2.6.5-1.319 dev=hda2 ino=4627658
> scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:src_t
> tclass=dir

In certain cases it is helpful to just run these avc messages through 
audit2allow
All these messages basically came down to a couple of rules that have 
been added
to the laste policy.

A couple of tricks you might want to try

audit2allow -l -i /var/log/messages 

Will output all rules for messages since the last time you ran a make load.

You can then take the output from this command and output it do the misc
subdirectory under policy
audit2allow -l -i /var/log/messages > 
/etc/security/selinux/src/policy/domain/misc/later.te

Then do a make load to see if the policy compiles.  If it does see if 
this fixes you problem.
You have written your first policy.

In alot of cases the rules that are generated by audit2allow will be 
disallowed do to the assert.te and
constraints.te.  For example you will not be allowed to write files in 
the /etc/ directory.  You should
look at how other programs handle this, usually though 
file_type_domain_trans.

Dan




More information about the fedora-selinux-list mailing list