Bug 200181 - update to LSPP .44 kernel with selinux in Enforcing fails
update to LSPP .44 kernel with selinux in Enforcing fails
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
6
powerpc Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-07-25 18:33 EDT by IBM Bug Proxy
Modified: 2007-11-30 17:11 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-04-06 12:32:29 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
audit.log (18.50 KB, text/plain)
2006-12-20 11:41 EST, IBM Bug Proxy
no flags Details

  None (edit)
Description IBM Bug Proxy 2006-07-25 18:33:35 EDT
LTC Owner is: gjlynx@us.ibm.com
LTC Originator is: dvelarde@us.ibm.com


Problem description:
When I (sysadm_r) tried to upgrade my lspp.37.ppc64 kernel to lspp.44.ppc64 
with selinux in enforcing mode, I got the error:
# rpm -Uvh kernel-2.6.17-1.2293.2.8_FC6.lspp.44.ppc64.rpm kernel-devel-2.6.17-
1.2293.2.8_FC6.lspp.44.ppc64.rpm
Preparing...                ########################################### [100%]
   1:kernel-devel           ########################################### [ 50%]
   2:kernel                 ########################################### [100%]
grubby: error moving /etc/yaboot.conf- to /etc/yaboot.conf: Permission denied
ybin: /dev/sda1: Permission denied
ybin: /dev/sda3: Permission denied
grubby fatal error: unable to find a suitable template
grubby: doing this would leave no kernel entries. Not writing out new config.
ybin: /dev/sda1: Permission denied
ybin: /dev/sda3: Permission denied

Despite the permission denied errors, the rpms seem to have been upgraded
# rpm -qa | grep kernel
kernel-2.6.17-1.2293.2.8_FC6.lspp.44
kernel-devel-2.6.17-1.2293.2.8_FC6.lspp.44


If this is not an installation problem,
       Describe any custom patches installed.
Installed system last week with Klaus' latest kickstart script.
Upgraded selinux policy to latest available.
Then tried to upgrade to more recent LSPP kernel packages:
kernel-2.6.17-1.2293.2.8_FC6.lspp.44.ppc64.rpm 
kernel-devel-2.6.17-1.2293.2.8_FC6.lspp.44.ppc64.rpm

       Provide output from "uname -a", if possible:
# uname -a
Linux hvracer6.ltc.austin.ibm.com 2.6.17-1.2293.2.1_FC6.lspp.37 #1 SMP Mon Jun 
19 19:49:45 EDT 2006 ppc64 ppc64 ppc64 GNU/Linux


Hardware Environment
    Machine type (p650, x235, SF2, etc.): PPC64 HV LPAR


Is the system (not just the application) hung?
    If so, describe how you determined this:
If you reboot the system immediately after attempting to upgrade the kernel 
packages, you will have trouble booting up the system if you do not still have 
another kernel installed.

Additional information:
The default image no longer boots
boot:
Please wait, loading kernel...
/vdevice/v-scsi@30000005/disk@8000000000000000:2,/boot/vmlinuz-2.6.17-
1.2293.2.1
_FC6.lspp.37: No such file or directory


And lspp.44.kernel is not listed as one of the defined images you can select 
to boot.
Comment 1 Tim Burke 2006-09-21 03:24:40 EDT
Why is this filed as a kernel bug?
Comment 2 IBM Bug Proxy 2006-09-21 13:27:47 EDT
----- Additional Comments From salina@us.ibm.com  2006-09-21 13:23 EDT -------
strange .. on IBM side .. this is against security..
maybe a mapping error with the mirroring tool ? 
Comment 3 Pete Graner 2006-10-05 14:42:46 EDT
Peter pls look at this. I think its resloved, it was misassigned to kernel... If
so pls close etc. etc. etc.
Comment 4 Peter Jones 2006-10-05 15:58:51 EDT
Please attach the system log so we can fix the SELinux policy.
Comment 5 Daniel Walsh 2006-10-05 17:05:33 EDT
I believe this has been fixed in policy for a while.

Please reopen if I am mistaken.
Comment 6 IBM Bug Proxy 2006-10-05 19:26:10 EDT
----- Additional Comments From gcwilson@us.ibm.com  2006-10-05 19:24 EDT -------
I was able to update Milestone 4 (200609227) to today's rawhide kernel in
enforcing mode without problems on ppc64.  Debbie, do you agree that this bug is
fixed? 
Comment 7 IBM Bug Proxy 2006-10-05 19:30:50 EDT
changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|FIXEDAWAITINGTEST           |ACCEPTED




------- Additional Comments From dvelarde@us.ibm.com  2006-10-05 19:29 EDT -------
Agree bug is now fixed. 
Comment 8 IBM Bug Proxy 2006-10-05 19:31:22 EDT
changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ACCEPTED                    |CLOSED




------- Additional Comments From dvelarde@us.ibm.com  2006-10-05 19:29 EDT -------
closing since no longer an issue. 
Comment 9 IBM Bug Proxy 2006-10-05 19:36:02 EDT
----- Additional Comments From gcwilson@us.ibm.com  2006-10-05 19:30 EDT -------
To clarify, the test in my previous post was conducted on Milestone 4 using
libsemanage 1.6.17-1 and MLS policy 2.3.18-3 from rawhide to work around RIT103513. 
Comment 10 IBM Bug Proxy 2006-12-11 20:00:51 EST
changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|CLOSED                      |REOPENED
         Resolution|FIX_BY_DISTRO               |




------- Additional Comments From mcthomps@us.ibm.com  2006-12-11 19:54 EDT -------
Reopening due to regression in the SELinux policy packages. 
Comment 11 IBM Bug Proxy 2006-12-12 11:11:49 EST
changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|RH200181- update to LSPP .44|[REG] RH200181- update to
                   |kernel with selinux in      |LSPP .44 kernel with selinux
                   |Enforcing fails             |in Enforcing fails




------- Additional Comments From mcthomps@us.ibm.com  2006-12-12 11:09 EDT -------
Marking as regression. 
Comment 12 Irina Boverman 2006-12-15 13:37:38 EST
This is FC6 bug. If this is also a RHEL 5 bug, and it needs to be fixed there,
you need to open RHEL 5 bugzilla. 
Comment 13 Daniel Walsh 2006-12-18 14:18:24 EST
Ok is this a bug or not?  I don't believe this is a bug as I believe it has been
fixed in policy.  If a bug on upgrade still happens please attach More
information/avc messages.
Comment 14 IBM Bug Proxy 2006-12-20 11:32:06 EST
------- Additional Comments From mcthomps@us.ibm.com  2006-12-20 11:28 EDT -------
(In reply to comment #18)
> ----- Additional Comments From dwalsh@redhat.com  2006-12-18 14:18 EST ------
-
> Ok is this a bug or not?  I don't believe this is a bug as I believe it has 
been
> fixed in policy.  If a bug on upgrade still happens please attach More
> information/avc messages.
> -- 

Dan & Irena,

We are mostly on break, so I appologize for the long delay and lack of 
response. The problem we're seeing is that installing a kernel in enforcing 
mode does not (I seems) to properly install the initrd, resulting in being 
unable to mount your root fs. I have the audit log attached to this bug report.

Here is the output from the install and the result:
[root@bladeracer1 root]# run_init rpm -ivh /root/kernel-2.6.18-
1.2747.2.1.el5.lspp.55.ppc64.rpm --force
Authenticating ealuser.
Password:
/etc/selinux/mls/contexts/files/file_contexts: Multiple same specifications 
for /a?quota.(user|group).
Preparing...                ########################################### [100%]
   1:kernel                 ########################################### [100%]
mktemp: cannot make temp dir /tmp/initrd.AG2456: Permission denied
mktemp: cannot create temp file /tmp/initrd.img.TR2457: Permission denied
Error creating temporaries.  Try again
mkinitrd failed
error: %post(kernel-2.6.18-1.2747.2.1.el5.lspp.55.ppc64) scriptlet failed, 
exit status 1
[root@bladeracer1 root]# ls /boot
boot.cmdline
boot.entry
config-2.6.18-1.2747.2.1.el5.lspp.55
config-2.6.18-1.2767.el5
config-2.6.18-1.2840.2.1.el5.lspp.57
etc
fallback.check
grub
initrd-2.6.18-1.2767.el5.img
initrd-2.6.18-1.2840.2.1.el5.lspp.57.img
lost+found
symvers-2.6.18-1.2747.2.1.el5.lspp.55.gz
symvers-2.6.18-1.2767.el5.gz
symvers-2.6.18-1.2840.2.1.el5.lspp.57.gz
System.map-2.6.18-1.2747.2.1.el5.lspp.55
System.map-2.6.18-1.2767.el5
System.map-2.6.18-1.2840.2.1.el5.lspp.57
vmlinuz-2.6.18-1.2747.2.1.el5.lspp.55
vmlinuz-2.6.18-1.2767.el5
vmlinuz-2.6.18-1.2840.2.1.el5.lspp.57
[root@bladeracer1 root]# rpm -q kernel
kernel-2.6.18-1.2767.el5
kernel-2.6.18-1.2840.2.1.el5.lspp.57
kernel-2.6.18-1.2747.2.1.el5.lspp.55 
Comment 15 IBM Bug Proxy 2006-12-20 11:41:05 EST
Created attachment 144118 [details]
audit.log
Comment 16 IBM Bug Proxy 2006-12-20 11:41:10 EST
----- Additional Comments From mcthomps@us.ibm.com  2006-12-20 11:35 EDT -------
 
AVC messages from kernel rpm install 
Comment 17 Daniel Walsh 2006-12-20 13:37:09 EST
The latest policy on people removed the bootloader_exec_t from /sbin/mkinitrd
which should fix this problem.

Basically we want mkinitrd labeled as sbin_t so that it will continue to run
under  rpm_script_t context.

So this should be fixed in selinux-policy-2.4.6-15.el5
Comment 18 IBM Bug Proxy 2007-01-05 17:25:35 EST
changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ACCEPTED                    |CLOSED




------- Additional Comments From dvelarde@us.ibm.com  2007-01-05 17:20 EDT -------
I was able to successfully use rpm -Uvh to upgrade my kernel to lspp.58 version
from a RHEL5 RC5 install in enforcing mode.  I restarted system and it came up fine. 
Comment 19 Matthew Miller 2007-04-06 12:13:22 EDT
Fedora Core 5 and Fedora Core 6 are, as we're sure you've noticed, no longer
test releases. We're cleaning up the bug database and making sure important bug
reports filed against these test releases don't get lost. It would be helpful if
you could test this issue with a released version of Fedora or with the latest
development / test release. Thanks for your help and for your patience.

[This is a bulk message for all open FC5/FC6 test release bugs. I'm adding
myself to the CC list for each bug, so I'll see any comments you make after this
and do my best to make sure every issue gets proper attention.]
Comment 20 Steve Grubb 2007-04-06 12:32:29 EDT
This bug appears to be resolved.

Note You need to log in before you can comment on or make changes to this bug.