Bug 189489 - Can't install kernels in a chroot with Selinux enabled
Summary: Can't install kernels in a chroot with Selinux enabled
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: anaconda
Version: 4.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
: ---
Assignee: Chris Lumens
QA Contact: Brian Brock
URL:
Whiteboard:
Depends On:
Blocks: 176344
TreeView+ depends on / blocked
 
Reported: 2006-04-20 14:26 UTC by Bastien Nocera
Modified: 2007-11-30 22:07 UTC (History)
6 users (show)

Fixed In Version: RHBA-2007-0215
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-05-01 17:21:38 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
rpm-strace-rescue-with-selinux.txt (547.76 KB, text/plain)
2006-04-20 14:26 UTC, Bastien Nocera
no flags Details
anaconda patch to bind mount /selinux into /mnt/sysimage (682 bytes, patch)
2006-06-14 16:18 UTC, Eric Paris
no flags Details | Diff


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2007:0215 0 normal SHIPPED_LIVE anaconda, and rhpl bug fix update 2007-05-01 17:16:50 UTC

Description Bastien Nocera 2006-04-20 14:26:34 UTC
1. Boot a RHEL4 U3 CD in rescue mode
2. chroot to the real system:
chroot /mnt/sysimage
3. Try to install a newer kernel:
error: %pre(kernel-2.6.9-34.EL.i686) scriptlet failed, exit status 255
error:   install: %pre scriptlet failed (2), skipping kernel-2.6.9-34.EL

The stack trace shows that it can't access the /selinux files:

452   getppid()                         = 451
452   open("/proc/self/attr/current", O_RDONLY) = 22
452   read(22, "user_u:system_r:unconfined_t\0", 4095) = 29
452   close(22)                         = 0
452   getxattr("/bin/sh", "security.selinux", "system_u:object_r:shell_exec_t",
255) = 31
452   open("/selinux/create", O_RDWR)   = -1 ENOENT (No such file or directory)
452   exit_group(-1)                    = ?
451   <... futex resumed> )             = -1 EINTR (Interrupted system call)
451   --- SIGCHLD (Child exited) @ 0 (0) ---

Comment 1 Bastien Nocera 2006-04-20 14:26:35 UTC
Created attachment 128039 [details]
rpm-strace-rescue-with-selinux.txt

Comment 2 James Morris 2006-05-04 02:59:42 UTC
You'll need to mount /selinux inside the chroot manually, or add it to some script.

Comment 3 Bastien Nocera 2006-05-04 08:50:08 UTC
How do you mount /selinux? rc.sysinit doesn't do it, the mkinitrd doesn't seem
to either, and /selinux doesn't appear in the mount output.

Also, the rescue disk gives some instructions on how to access the full system
after starting up. From anaconda:
                ButtonChoiceWindow(screen, _("Rescue"),
                   _("Your system has been mounted under %s.\n\n"
                     "Press <return> to get a shell. If you would like to "
                     "make your system the root environment, run the command:\n\n"
                     "\tchroot %s\n\nThe system will reboot "
                     "automatically when you exit from the shell.") %
                                   (instPath,instPath),
                                   [_("OK")] )

Maybe anaconda should mount /selinux under both the real root, and the "would
be" chroot?

Comment 4 Eric Paris 2006-06-14 15:27:56 UTC
The mount is done by init with the call

#define SELINUXMNT "/selinux/"
mount("none", SELINUXMNT, "selinuxfs", 0, 0)

In resuce mode outside chroot can you make sure /selinux is mounted?  Then
inside the chroot is there any way you could mount by hand or run a simple
program with that line?

Comment 5 Eric Paris 2006-06-14 16:18:29 UTC
Created attachment 130869 [details]
anaconda patch to bind mount /selinux into /mnt/sysimage

Untested, but I think this will do it.	 I'm going to go try by hand to
recreate this.	 I don't have the slightest clue how to test this patch
though....

Comment 6 Eric Paris 2006-06-14 17:32:40 UTC
By hand in rescue running /mnt/sysimage/sbin/mount --bind /selinux
/mnt/sysimage/selinux and then chrooting seemed to be happy.  Jeremy, does this
seem like something you are willing to take into anaconda?

Comment 7 Eric Paris 2006-06-19 19:03:58 UTC
reassigning to jeremy.

Comment 8 Jeremy Katz 2006-06-19 20:26:13 UTC
Seems to make sense, although probably just doing a regular mount of /selinux
instead of a bind mount (no need to bind mount it really)

Chris -- can you get this into HEAD and give the cvs revs and then ensure it
gets pulled in for 4.5?

Comment 9 Chris Lumens 2006-06-20 13:47:20 UTC
HEAD already has:

    # and /selinux too
    if flags.selinux and os.path.isdir("%s/selinux" %(anaconda.rootPath,)):
        try:
            isys.mount("/selinux", "%s/selinux" %(anaconda.rootPath,),         
                          "selinuxfs")
        except Exception, e:
            log.error("error mounting selinuxfs: %s" %(e,))

This was committed to revision 1.63 of rescue.py.  I'll track this for the next
RHEL update.


Comment 10 RHEL Program Management 2006-08-18 16:12:09 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.

Comment 14 David Lawrence 2007-04-12 20:24:31 UTC
ping

Comment 15 Chris Lumens 2007-04-12 20:35:01 UTC
Can you drop to a shell, umount /mnt/sysimage/selinux, and then mount -o bind -t
selinuxfs /mnt/sysimage/selinux.  Does that show things in /selinux when you chroot?

Comment 18 Red Hat Bugzilla 2007-05-01 17:21:39 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2007-0215.html



Note You need to log in before you can comment on or make changes to this bug.