Bug 189489 - Can't install kernels in a chroot with Selinux enabled
Can't install kernels in a chroot with Selinux enabled
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: anaconda (Show other bugs)
4.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Chris Lumens
Brian Brock
:
Depends On:
Blocks: 176344
  Show dependency treegraph
 
Reported: 2006-04-20 10:26 EDT by Bastien Nocera
Modified: 2007-11-30 17:07 EST (History)
6 users (show)

See Also:
Fixed In Version: RHBA-2007-0215
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-05-01 13:21:38 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
rpm-strace-rescue-with-selinux.txt (547.76 KB, text/plain)
2006-04-20 10:26 EDT, Bastien Nocera
no flags Details
anaconda patch to bind mount /selinux into /mnt/sysimage (682 bytes, patch)
2006-06-14 12:18 EDT, Eric Paris
no flags Details | Diff

  None (edit)
Description Bastien Nocera 2006-04-20 10:26:34 EDT
1. Boot a RHEL4 U3 CD in rescue mode
2. chroot to the real system:
chroot /mnt/sysimage
3. Try to install a newer kernel:
error: %pre(kernel-2.6.9-34.EL.i686) scriptlet failed, exit status 255
error:   install: %pre scriptlet failed (2), skipping kernel-2.6.9-34.EL

The stack trace shows that it can't access the /selinux files:

452   getppid()                         = 451
452   open("/proc/self/attr/current", O_RDONLY) = 22
452   read(22, "user_u:system_r:unconfined_t\0", 4095) = 29
452   close(22)                         = 0
452   getxattr("/bin/sh", "security.selinux", "system_u:object_r:shell_exec_t",
255) = 31
452   open("/selinux/create", O_RDWR)   = -1 ENOENT (No such file or directory)
452   exit_group(-1)                    = ?
451   <... futex resumed> )             = -1 EINTR (Interrupted system call)
451   --- SIGCHLD (Child exited) @ 0 (0) ---
Comment 1 Bastien Nocera 2006-04-20 10:26:35 EDT
Created attachment 128039 [details]
rpm-strace-rescue-with-selinux.txt
Comment 2 James Morris 2006-05-03 22:59:42 EDT
You'll need to mount /selinux inside the chroot manually, or add it to some script.
Comment 3 Bastien Nocera 2006-05-04 04:50:08 EDT
How do you mount /selinux? rc.sysinit doesn't do it, the mkinitrd doesn't seem
to either, and /selinux doesn't appear in the mount output.

Also, the rescue disk gives some instructions on how to access the full system
after starting up. From anaconda:
                ButtonChoiceWindow(screen, _("Rescue"),
                   _("Your system has been mounted under %s.\n\n"
                     "Press <return> to get a shell. If you would like to "
                     "make your system the root environment, run the command:\n\n"
                     "\tchroot %s\n\nThe system will reboot "
                     "automatically when you exit from the shell.") %
                                   (instPath,instPath),
                                   [_("OK")] )

Maybe anaconda should mount /selinux under both the real root, and the "would
be" chroot?
Comment 4 Eric Paris 2006-06-14 11:27:56 EDT
The mount is done by init with the call

#define SELINUXMNT "/selinux/"
mount("none", SELINUXMNT, "selinuxfs", 0, 0)

In resuce mode outside chroot can you make sure /selinux is mounted?  Then
inside the chroot is there any way you could mount by hand or run a simple
program with that line?
Comment 5 Eric Paris 2006-06-14 12:18:29 EDT
Created attachment 130869 [details]
anaconda patch to bind mount /selinux into /mnt/sysimage

Untested, but I think this will do it.	 I'm going to go try by hand to
recreate this.	 I don't have the slightest clue how to test this patch
though....
Comment 6 Eric Paris 2006-06-14 13:32:40 EDT
By hand in rescue running /mnt/sysimage/sbin/mount --bind /selinux
/mnt/sysimage/selinux and then chrooting seemed to be happy.  Jeremy, does this
seem like something you are willing to take into anaconda?
Comment 7 Eric Paris 2006-06-19 15:03:58 EDT
reassigning to jeremy.
Comment 8 Jeremy Katz 2006-06-19 16:26:13 EDT
Seems to make sense, although probably just doing a regular mount of /selinux
instead of a bind mount (no need to bind mount it really)

Chris -- can you get this into HEAD and give the cvs revs and then ensure it
gets pulled in for 4.5?
Comment 9 Chris Lumens 2006-06-20 09:47:20 EDT
HEAD already has:

    # and /selinux too
    if flags.selinux and os.path.isdir("%s/selinux" %(anaconda.rootPath,)):
        try:
            isys.mount("/selinux", "%s/selinux" %(anaconda.rootPath,),         
                          "selinuxfs")
        except Exception, e:
            log.error("error mounting selinuxfs: %s" %(e,))

This was committed to revision 1.63 of rescue.py.  I'll track this for the next
RHEL update.
Comment 10 RHEL Product and Program Management 2006-08-18 12:12:09 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 14 David Lawrence 2007-04-12 16:24:31 EDT
ping
Comment 15 Chris Lumens 2007-04-12 16:35:01 EDT
Can you drop to a shell, umount /mnt/sysimage/selinux, and then mount -o bind -t
selinuxfs /mnt/sysimage/selinux.  Does that show things in /selinux when you chroot?
Comment 18 Red Hat Bugzilla 2007-05-01 13:21:39 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2007-0215.html

Note You need to log in before you can comment on or make changes to this bug.