Bug 155015 - depmod fails during rpmbuild of kernel: System.map O_RDONLY
depmod fails during rpmbuild of kernel: System.map O_RDONLY
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
4
powerpc Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-04-15 14:00 EDT by John Reiser
Modified: 2007-11-30 17:11 EST (History)
2 users (show)

See Also:
Fixed In Version: 1.25.4-10.1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-09-15 12:00:33 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
strace of depmod (1.73 KB, text/plain)
2005-04-15 14:04 EDT, John Reiser
no flags Details
grep depmod /var/log/audit/auditd.log (9.34 KB, text/plain)
2005-04-16 01:26 EDT, John Reiser
no flags Details

  None (edit)
Description John Reiser 2005-04-15 14:00:56 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6) Gecko/20050323 Firefox/1.0.2 Fedora/1.0.2-1.3.1

Description of problem:
"rpmbuild -bc --target ppc kernel-2.6.spec" fails at "make modules_install" step because depmod cannot open System.map for O_RDONLY, even though System.map exists and is readable (and the directory is searchable).


Version-Release number of selected component (if applicable):
module-init-tools-3.1-2

How reproducible:
Always

Steps to Reproduce:
1. rpm --install kernel-2.6.11-1.1240_FC4.src.rpm
2. cd SPECS;  then remove the "-s" at line 833 of kernel-2.6.spec so that "make modules_install" shows the commands that it invokes.
3. rpmbuild -bc --target ppc kernel-2.6.spec >rpm.out 2>&1 &
  

Actual Results:  rpmbuild fails (Exit 1) at the "make modules_install" stage, with last command:
-----
if [ -r System.map -a -x /sbin/depmod ]; then /sbin/depmod -ae -F System.map -b /var/tmp/kernel-2.6.11-1.1240_FC4.jreiser-root -r 2.6.11-1.1240_FC4.jreiser; fi
make: *** [_modinst_post] Error 1
error: Bad exit status from /var/tmp/rpm-tmp.34550 (%build)
-----

Running the depmod command under strace shows:
-----
   [snip]
brk(0)                                  = 0x10027000
brk(0x10048000)                         = 0x10048000
open("System.map", O_RDONLY)            = -1 EACCES (Permission denied)
write(2, "FATAL: ", 7)                  = 7
write(2, "Could not open \'System.map\': Per"..., 47) = 47
exit_group(1)                           = ?
-----




Expected Results:  The depmod should have opened System.map, proceeded, and eventually succeeded.

Additional info:
Comment 1 John Reiser 2005-04-15 14:04:45 EDT
Created attachment 113238 [details]
strace of depmod

complete 27-line strace of depmod execution.
Current directory is BUILD/kernel-2.6.11/linux-2.6.11 with drwxr-xr-x
permissions,
System.map exists (692479 bytes) with -rw-r--r-- permissions.
Comment 2 John Reiser 2005-04-15 14:08:26 EDT
SELinux is in targeted enforcing mode.
/var/log/messages contains no "avc" messages about System.map or depmod.
(The only "avc" are for PrinterSpooler PrinterAdded.)
Comment 3 Bill Nottingham 2005-04-15 14:09:47 EDT
I'm assuming that turning off enforcig doesn't change it?
Comment 4 John Reiser 2005-04-15 21:35:04 EDT
Selinux DOES matter:
Rebooting with "disabled targeted" makes it work.
Rebooting with "permissive targeted" makes it work.
Rebooting with "enforcing targeted" makes it fail again.

Installed rpms are:
kernel-2.6.11-1.1240_FC4
slinux-policy-targeted-1.23.11-1
libselinux-1.23.7-2
libselinux-devel-1.23.7-2

rpmbuild was done as unprivileged user, with $HOME/.rpmmacros:
-----
%packager %(echo $USER)
%_topdir %(echo "$HOME")/rpmbuild
-----
and $HOME/rpmbuild and everything below it is owned by $USER, and $USER
has access to everything in the $HOME/rpmbuild tree.
Comment 5 John Reiser 2005-04-15 21:36:34 EDT
All 4 times with the sequence {enforcing, disabled, permissive, enforcing} there
are no "avc" messages in /var/log/messages that refer to depmod or System.map.
Comment 6 Daniel Walsh 2005-04-15 23:28:26 EDT
Do you have avc messages in /var/log/audit/auditd.log?
Comment 7 John Reiser 2005-04-16 01:25:33 EDT
Yes, 41 of them.  I'll attach the output from "grep depmod
/var/log/audit/auditd.log".  System.map is inode 134868.
Comment 8 John Reiser 2005-04-16 01:26:34 EDT
Created attachment 113268 [details]
grep depmod /var/log/audit/auditd.log
Comment 9 Daniel Walsh 2005-04-19 11:41:01 EDT
What context are you running the build under?  sysadm_t?

For a normal user depmod should not be transitioning, I think.

Dan
Comment 10 John Reiser 2005-04-19 12:16:08 EDT
Um, "plain user" context: logged in as ordinary non-privileged user, no known
actions taken that would change context.  [What is the shell-level command to
show which context is current?]
Comment 11 Daniel Walsh 2005-04-19 13:19:54 EDT
id -Z
Comment 12 John Reiser 2005-04-19 13:23:17 EDT
user_u:system_r:unconfined_t

[It would be handy if "apropos context" said something about 'id'.]
Comment 13 Daniel Walsh 2005-04-21 08:20:09 EDT
I don't know why it does not.  It is mentioned in the man page

man id
...
       -Z, --context
              print only the security context

Anyways latest policy (1.23.12-1) should not transition from unconfined_t to
depmod_t so this should be fixed.  Please try it
Comment 14 John Reiser 2005-04-21 14:13:22 EDT
selinux-policy-targeted-1.23.12-1 fails the same way on the surface, but
differently underneath.  kernel-2.6.11-1.1253_FC4 is running,
/etc/selinux/config specifies enforcing targeted.

/var/log/audit/audit.log contains nothing of apparent interest.  However,
/var/log/messages contains
-----
Apr 21 15:53:29 mini kernel: audit(1114124009.718:0): avc:  denied  { write }
for  pid=29921 exe=/sbin/depmod path=/home/jre iser/rpmbuild/SPECS/rpm.out
dev=hda4 ino=133182 scontext=user_u:system_r:depmod_t
tcontext=user_u:object_r:default_t tclass= file
Apr 21 15:56:49 mini kernel: audit(1114124209.192:0): avc:  denied  { write }
for  pid=609 exe=/sbin/depmod path=/home/jreis er/rpmbuild/SPECS/rpm.out
dev=hda4 ino=133182 scontext=user_u:system_r:depmod_t
tcontext=user_u:object_r:default_t tclass=fi le
Apr 21 15:56:49 mini kernel: audit(1114124209.192:0): avc:  denied  { write }
for  pid=609 exe=/sbin/depmod path=/home/jreis er/rpmbuild/SPECS/rpm.out
dev=hda4 ino=133182 scontext=user_u:system_r:depmod_t
tcontext=user_u:object_r:default_t tclass=fi le
Apr 21 15:56:49 mini kernel: audit(1114124209.193:0): avc:  denied  { search }
for  pid=609 exe=/sbin/depmod name=linux-2.6. 11 dev=hda4 ino=130573
scontext=user_u:system_r:depmod_t tcontext=user_u:object_r:default_t tclass=dir
-----
[The clock is ahead by 7 hours due to dispute between MaxOS X and Linux over
which timezone the Mac mini hardware (ppc) is in, and how that is represented.]

Also note that /var/log/messages earlier had
-----
Apr 21 14:28:34 mini kernel: audit(1114118913.748:0): avc:  denied  { setsched }
for  pid=1933 exe=/sbin/auditd scontext=user_u:system_r:auditd_t
tcontext=user_u:system_r:auditd_t tclass=process
Apr 21 14:28:34 mini kernel: SELinux: initialized (dev rpc_pipefs, type
rpc_pipefs), uses genfs_contexts
-----
so something doesn't look right with auditd.

As originally, the rpmbuild of the kernel fails with
-----
if [ -r System.map -a -x /sbin/depmod ]; then /sbin/depmod -ae -F System.map -b
/var/tmp/kernel-2.6.11-1.1240_FC4.jreiser-root -r 2.6.11-1.1240_FC4.jreiser; fi
make: *** [_modinst_post] Error 1
error: Bad exit status from /var/tmp/rpm-tmp.75435 (%build)
-----
Re-running the /sbin/depmod command under strace shows the same problem with
open("System.map", O_RDONLY) getting EACCES. The re-running also causes a new
complaint in /var/log/messages of
-----
Apr 21 17:52:33 mini kernel: audit(1114131153.055:0): avc:  denied  { search }
for  pid=1444 exe=/sbin/depmod name=linux-2.6.11 dev=hda4 ino=130573
scontext=user_u:system_r:depmod_t tcontext=user_u:object_r:default_t tclass=dir
-----


[The reason why "apropos context" says nothing about id(1) is that id(1) does
not contain the string "context" in its NAME title line, which is "id - print
real and effective UIDs and GIDs".]

Comment 15 David Juran 2005-04-21 15:34:07 EDT
I'd just like to add that I get a very similar error message trying to rebuild
kernel-2.6.11-1.1253_FC4.src.rpm on a i686. It fails in the same place, but the
only lines I have in my messages-file are:

Apr 21 21:20:39 c83-248-2-203 kernel: audit(1114111239.735:0): avc:  denied  {
search } for  pid=7504 exe=/sbin/depmod name=var dev=hdb2 ino=163841
scontext=user_u:system_r:depmod_t tcontext=system_u:object_r:var_t tclass=dir

Apr 21 21:20:40 c83-248-2-203 kernel: audit(1114111239.956:0): avc:  denied  {
search } for  pid=7504 exe=/sbin/depmod name=var dev=hdb2 ino=163841
scontext=user_u:system_r:depmod_t tcontext=system_u:object_r:var_t tclass=dir


I'm running selinux-policy-targeted-1.23.12-1 
If I build running the system in permissive mode, everything works fine.
Comment 16 John Reiser 2005-05-11 13:05:03 EDT
Same problem [strongly related, anyway] with new symptom now happens on FC4test3
(PowerPC Mac mini) using
kernel-2.6.11-1.1290_FC4
selinux-policy-targeted-1.23.14-2  ## targeted enforcing

Symptom is:
make ARCH=ppc INSTALL_MOD_PATH=/var/tmp/kernel-2.6.11-1.1290_FC4.jreiser-root
modules_install KERNELRELEASE=2.6.11-1.1290_FC4.jreiser
[snip long list of INSTALL <module>, ending with:]
INSTALL sound/usb/usx2y/snd-usb-usx2y.ko
if [ -r System.map -a -x /sbin/depmod ]; then /sbin/depmod -ae -F System.map -b
/var/tmp/kernel-2.6.11-1.1290_FC4.jreiser-root -r 2.6.11-1.1290_FC4.jreiser; fi
WARNING: Couldn't open directory
/var/tmp/kernel-2.6.11-1.1290_FC4.jreiser-root/lib/modules/2.6.11-1.1290_FC4.jreiser:
Permission denied
FATAL: Could not open
/var/tmp/kernel-2.6.11-1.1290_FC4.jreiser-root/lib/modules/2.6.11-1.1290_FC4.jreiser/modules.dep.temp
for writing: Permission denied
make: *** [_modinst_post] Error 1

/var/log/audit/auditd.log has:
type=KERNEL msg=audit(1115828840.789:0): avc:  denied  { write } for 
path=/home/jreiser/rpmbuild/SPECS/rpm.out dev=hda4 ino=554590
scontext=user_u:system_r:depmod_t tcontext=user_u:object_r:user_home_t tclass=file
type=KERNEL msg=audit(1115829017.064:0): avc:  denied  { write } for 
path=/home/jreiser/rpmbuild/SPECS/rpm.out dev=hda4 ino=554590
scontext=user_u:system_r:depmod_t tcontext=user_u:object_r:user_home_t tclass=file
type=KERNEL msg=audit(1115829017.064:0): avc:  denied  { write } for 
path=/home/jreiser/rpmbuild/SPECS/rpm.out dev=hda4 ino=554590
scontext=user_u:system_r:depmod_t tcontext=user_u:object_r:user_home_t tclass=file
type=KERNEL msg=audit(1115829017.237:0): avc:  denied  { search } for  name=var
dev=hda4 ino=1663009 scontext=user_u:system_r:depmod_t
tcontext=system_u:object_r:var_t tclass=dir type=KERNEL
msg=audit(1115829017.237:0): avc:  denied  { search } for  name=var dev=hda4
ino=1663009 scontext=user_u:system_r:depmod_t tcontext=system_u:object_r:var_t
tclass=dir

Build is being done as: $ id -Z
user_u:system_r:unconfined_t


So, the summary is: depmod doesn't work during kernel build as ordinary user
under targeted enforcing policy.
Comment 17 Daniel Walsh 2005-05-12 10:38:16 EDT
Fixed in selinux-policy-1.23.15-5

Note You need to log in before you can comment on or make changes to this bug.