Bug 201414 - ybin fails with "Failed to initialize HFS working directories: Permission denied"
ybin fails with "Failed to initialize HFS working directories: Permission den...
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: yaboot (Show other bugs)
rawhide
powerpc Linux
medium Severity high
: ---
: ---
Assigned To: Paul Nasrat
:
Depends On:
Blocks: 203736 203752
  Show dependency treegraph
 
Reported: 2006-08-04 18:04 EDT by Will Woods
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-08-23 11:36:00 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
patch to ybin that makes it use /boot for state info instead of /root (480 bytes, patch)
2006-08-10 14:38 EDT, Will Woods
no flags Details | Diff

  None (edit)
Description Will Woods 2006-08-04 18:04:48 EDT
With the 20060803.1 Test2 release candidate tree, ybin will fail with the
following message:

Failed to initialze HFS working directories: Permission denied

ybin has the SELinux context of system_u:object_r:bootloader_exec_t. Changing
the SELinux context to (e.g.) system_u:object_r:sbin_t allows ybin to work.

This problem causes grubby to be unable to change the bootloader config, which
keeps you from booting a new kernel.
Comment 1 Will Woods 2006-08-07 12:10:48 EDT
ybin is a shell script. It fails when it tries to execute hmount (from hfsutils).

The error message indicates that hmount fails in hcwd_init(). This function
normally creates/opens "/root/.hcwd". I suspect SELinux is denying this and
causing hmount to fail, which causes ybin to fail. 

Bug component may need to be changed to either hfsutils or policy - I will
investigate further.
Comment 2 Will Woods 2006-08-10 14:35:21 EDT
I should have mentioned - this is yaboot-1.3.13-0.18.1

Found a solution: hmount and friends read the environment variable HOME, so
adding a line to ybin that says:

export HOME=/boot

allows everything to work correctly except updating the OF boot device in
/dev/nvram.

dwalsh has tweaked policy to allow bootloader_t to write to /dev/nvram, so all
that remains is fixing ybin. I'll upload a patch shortly.
Comment 3 Will Woods 2006-08-10 14:38:35 EDT
Created attachment 133968 [details]
patch to ybin that makes it use /boot for state info instead of /root
Comment 4 Will Woods 2006-08-22 18:47:37 EDT
One note: /boot is used because it's the only place bootloader_exec_t is
naturally allowed to write. Any other directory will fail. 

If /boot is mounted read-only, this will fail. Still, this fix will work for 98%
of cases, and the other 2% get a 'Read-only filesystem' error, which should be
pretty clear.

To get the other 2 percent, we would need a dedicated state dir for hfsutils
(say /var/tmp/hfs) and another policy change.
Comment 6 Paul Nasrat 2006-08-23 11:36:00 EDT
Thanks for the patch, this works as a temporary solution but it's not really
suitable for upstream yaboot.

Note You need to log in before you can comment on or make changes to this bug.