200269 – selinux causes kernel installation failure

Bug 200269 - selinux causes kernel installation failure

Summary: selinux causes kernel installation failure

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	6
Hardware:	ia64
OS:	Linux
Priority:	high
Severity:	medium
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2006-07-26 16:52 UTC by Prarit Bhargava
Modified:	2007-11-30 22:11 UTC (History)
CC List:	2 users (show)
Fixed In Version:	Current
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2007-04-09 13:49:02 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Prarit Bhargava 2006-07-26 16:52:53 UTC

Description of problem:

When installing a new kernel, selinux prevents the initrd from being created.

Version-Release number of selected component (if applicable): nightly-20060725


How reproducible: 100%


Steps to Reproduce:
1. Download a new kernel RPM
2. attempt to install it

  
Actual results:

Install fails:
[root@frosty home]# rpm -ivh kernel-xen-2.6.17-1.2450.ia64.rpm 
Preparing...                ########################################### [100%]
   1:kernel-xen             ########################################### [100%]
WARNING: /lib/modules/2.6.17-1.2450xen/kernel/drivers/md/xor.ko needs unknown
symbol xor_ia64_3
WARNING: /lib/modules/2.6.17-1.2450xen/kernel/drivers/md/xor.ko needs unknown
symbol xor_ia64_5
WARNING: /lib/modules/2.6.17-1.2450xen/kernel/drivers/md/xor.ko needs unknown
symbol xor_ia64_4
WARNING: /lib/modules/2.6.17-1.2450xen/kernel/drivers/md/xor.ko needs unknown
symbol xor_ia64_2
WARNING: /lib/modules/2.6.17-1.2450xen/kernel/fs/cachefiles/cachefiles.ko needs
unknown symbol copy_page
audit(1153932867.020:5): avc:  denied  { search } for  pid=2355 comm="mkinitrd"
name="/" dev=sda1 ino=1 scontext=root:system_r:bootloader_t:s0-s0:c0.c255
tcontext=system_u:object_r:dosfs_t:s0 tclass=dir
audit(1153932882.564:6): avc:  denied  { search } for  pid=3143 comm="mkinitrd"
name="/" dev=sda1 ino=1 scontext=root:system_r:bootloader_t:s0-s0:c0.c255
tcontext=system_u:object_r:dosfs_t:s0 tclass=dir
audit(1153932882.564:7): avc:  denied  { search } for  pid=3143 comm="mkinitrd"
name="/" dev=sda1 ino=1 scontext=root:system_r:bootloader_t:s0-s0:c0.c255
tcontext=system_u:object_r:dosfs_t:s0 tclass=dir
/sbin/mkinitrd: line 1226: /boot/efi/EFI/redhat/initrd-2.6.17-1.2450xen.img:
Permission denied
mkinitrd failed


Expected results: installation should succeed

Additional info: Installation succeeds if I boot with "selinux=0"

Comment 1 Daniel Walsh 2006-07-26 17:59:56 UTC

Fixed in selinux-policy-2_3_3-11

Comment 2 Matthew Miller 2007-04-06 17:25:57 UTC

Fedora Core 5 and Fedora Core 6 are, as we're sure you've noticed, no longer
test releases. We're cleaning up the bug database and making sure important bug
reports filed against these test releases don't get lost. It would be helpful if
you could test this issue with a released version of Fedora or with the latest
development / test release. Thanks for your help and for your patience.

[This is a bulk message for all open FC5/FC6 test release bugs. I'm adding
myself to the CC list for each bug, so I'll see any comments you make after this
and do my best to make sure every issue gets proper attention.]

Note You need to log in before you can comment on or make changes to this bug.