Bug 117785

Summary: "rpm -ivh" of kernel rpm fails to create mkinitrd due to multiple avc denials
Product: [Fedora] Fedora Reporter: Stephen Tweedie <sct>
Component: policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED RAWHIDE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: russell, sct
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2004-04-07 02:06:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 114961    
Attachments:
Description Flags
kernel log of avc errors during attempted kernel rpm install none

Description Stephen Tweedie 2004-03-08 15:58:03 UTC 
Description of problem:
Trying to install a kernel rpm results in massive failure to create
the initrd.

Version-Release number of selected component (if applicable):
rawhide-20040305 with newer policy
policy-1.7-8
rpm-4.3-0.17
mkinitrd-3.5.19-1

How reproducible:
100%

Steps to Reproduce:
1. "rpm -ivh kernel-*.rpm" with enforcing=1
  
Actual results:

# rpm -ivh kernel-2.6.3-2.1.242.i686.rpm
error: failed to stat /home: Permission denied
Preparing...               
########################################### [100%]
   1:kernel                
########################################### [100%]
id: write error: Permission denied
id: write error: Permission denied
id: write error: Permission denied
/bin/bash: line 12: [: too many arguments
uname: write error: Permission denied
/sbin/new-kernel-pkg: line 32: [: =: unary operator expected
/sbin/new-kernel-pkg: line 37: [: too many arguments
/sbin/new-kernel-pkg: line 45: [: too many arguments
/sbin/new-kernel-pkg: line 51: [: too many arguments
uname: write error: Permission denied
/sbin/new-kernel-pkg: line 297: [: =: unary operator expected
id: write error: Permission denied
id: write error: Permission denied
id: write error: Permission denied
/bin/bash: line 12: [: too many arguments
uname: write error: Permission denied
/sbin/mkinitrd: line 42: [: =: unary operator expected
cut: -: Permission denied
awk: cmd. line:2: fatal: can't stat fd 0 (Permission denied)
cut: -: Permission denied
/sbin/mkinitrd: line 92: [: =: unary operator expected
egrep: fstat: Permission denied
awk: cmd. line:2: fatal: can't stat fd 0 (Permission denied)
awk: cmd. line:2: fatal: can't stat fd 0 (Permission denied)
awk: cmd. line:2: fatal: can't stat fd 0 (Permission denied)
No module -ide-disk found for kernel 2.6.3-2.1.242, aborting.
mkinitrd failed
(install then hangs until ^C)
error: %post(kernel-2.6.3-2.1.242) scriptlet failed, exit status 0
sults:


Expected results:
Correct install of rpm and creation of initrd.

Additional info:
AVC error log, attached.
Comment 1 Stephen Tweedie 2004-03-08 15:59:34 UTC 
Created attachment 98371 [details]
kernel log of avc errors during attempted kernel rpm install
Comment 2 Daniel Walsh 2004-03-08 20:52:54 UTC 
Put some fixes in -10 that should fix these problems.

Dan
Comment 3 Stephen Tweedie 2004-03-08 22:27:48 UTC 
Is it built anywhere?  I can't see it on the build system yet.
Comment 4 Daniel Walsh 2004-03-18 05:09:12 UTC 
Fixed in policy-1.9-1
Comment 5 Ben Levenson 2004-03-23 23:48:45 UTC 
kernel install w/ policy-1.9-12. looks much better:
# rpm -ivh ../i686/kernel-2.6.4-1.286.i686.rpm
Preparing...               
########################################### [100%]
   1:kernel                
########################################### [100%]
WARNING: /lib/modules/2.6.4-1.286/kernel/drivers/char/crash.ko needs
unknown symbol page_is_ram
/bin/bash: /root/.bashrc: Permission denied

avc denials (enforcing on):
avc:  denied  { search } for  pid=24907 exe=/bin/bash name=root
dev=hda2 ino=392449 scontext=root:sysadm_r:bootloader_t
tcontext=root:object_r:staff_home_dir_t tclass=dir
SELinux: initialized (dev loop0, type ext2), uses xattr

avc:  denied  { search } for  pid=25086 exe=/sbin/grubby name=root
dev=hda2 ino=392449 scontext=root:sysadm_r:bootloader_t
tcontext=root:object_r:staff_home_dir_t tclass=dir
Comment 6 Daniel Walsh 2004-04-07 02:06:15 UTC 
Fixed in latest policy.  This is not audited.