Doing the following: $> cat > grubscript.tmp << EOF root (hd1,0) install /grub/stage1 d (hd1) /grub/stage2 p /grub/grub.conf EOF $> grub --batch --no-floppy --device-map=device.map < grubscript.tmp grub: asmstub.c:214: grub_stage2: Assertion `simstack_alloc_base != ((void *) -1)' failed. Aborted Fails with this AVC denied: avc: denied { execmem } for pid=3093 comm="grub" scontext=root:system_r:unconfined_t:s0-s0:c0.c255 tcontext=root:system_r:unconfined_t:s0-s0:c0.c255 tclass=process Running with allow_execmem set to 1 makes it work. Best I can make out is that our grub simulates an executable stack my mmaping a chunk of memory and marking it executable ... presumably so grub can be built without an executable stack. CVS log of the patch: $> cvs log grub-0.95-nxstack.patch date: 2005/02/11 08:16:53; author: pjones; state: Exp; vroomfondel:~$ eu-readelf -l /sbin/grub | grep STACK GNU_STACK 0x000000 0x00000000 0x00000000 0x000000 0x000000 RW 0x4 ^ yay This may be one of the worst atrocities I've ever committed to disk. :-) Do we need to modify the policy to allow_execmem for grub?
Is this required by grub? IE Is there another way to do this. We can define a context of uncofined_execmem_exec_t for grub which would allow this. chcon -t uncofined_execmem_exec_t /sbin/grub
Fixed in 2.2.47-3
I still see this problem on FC6 T1 Vigor14:~: rpm -q selinux-policy-targeted selinux-policy-targeted-2.3.1-1 Vigor14:~: audit(1152250446.486:6): avc: denied { execmem } for pid=2177 comm="grub" scontext=system_u:system_r:unconfined_t:s0 tcontext=system_u:system_r:unconfined_t:s0 tclass=process
Fixed in selinux-policy-targeted-2.3.2-2
Should be fixed in the current release