Bug 201414 - ybin fails with "Failed to initialize HFS working directories: Permission denied"
Summary: ybin fails with "Failed to initialize HFS working directories: Permission den...
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: yaboot
Version: rawhide
Hardware: powerpc
OS: Linux
medium
high
Target Milestone: ---
Assignee: Paul Nasrat
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 203736 203752
TreeView+ depends on / blocked
 
Reported: 2006-08-04 22:04 UTC by Will Woods
Modified: 2007-11-30 22:11 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2006-08-23 15:36:00 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)
patch to ybin that makes it use /boot for state info instead of /root (480 bytes, patch)
2006-08-10 18:38 UTC, Will Woods
no flags Details | Diff

Description Will Woods 2006-08-04 22:04:48 UTC
With the 20060803.1 Test2 release candidate tree, ybin will fail with the
following message:

Failed to initialze HFS working directories: Permission denied

ybin has the SELinux context of system_u:object_r:bootloader_exec_t. Changing
the SELinux context to (e.g.) system_u:object_r:sbin_t allows ybin to work.

This problem causes grubby to be unable to change the bootloader config, which
keeps you from booting a new kernel.

Comment 1 Will Woods 2006-08-07 16:10:48 UTC
ybin is a shell script. It fails when it tries to execute hmount (from hfsutils).

The error message indicates that hmount fails in hcwd_init(). This function
normally creates/opens "/root/.hcwd". I suspect SELinux is denying this and
causing hmount to fail, which causes ybin to fail. 

Bug component may need to be changed to either hfsutils or policy - I will
investigate further.

Comment 2 Will Woods 2006-08-10 18:35:21 UTC
I should have mentioned - this is yaboot-1.3.13-0.18.1

Found a solution: hmount and friends read the environment variable HOME, so
adding a line to ybin that says:

export HOME=/boot

allows everything to work correctly except updating the OF boot device in
/dev/nvram.

dwalsh has tweaked policy to allow bootloader_t to write to /dev/nvram, so all
that remains is fixing ybin. I'll upload a patch shortly.

Comment 3 Will Woods 2006-08-10 18:38:35 UTC
Created attachment 133968 [details]
patch to ybin that makes it use /boot for state info instead of /root

Comment 4 Will Woods 2006-08-22 22:47:37 UTC
One note: /boot is used because it's the only place bootloader_exec_t is
naturally allowed to write. Any other directory will fail. 

If /boot is mounted read-only, this will fail. Still, this fix will work for 98%
of cases, and the other 2% get a 'Read-only filesystem' error, which should be
pretty clear.

To get the other 2 percent, we would need a dedicated state dir for hfsutils
(say /var/tmp/hfs) and another policy change.

Comment 6 Paul Nasrat 2006-08-23 15:36:00 UTC
Thanks for the patch, this works as a temporary solution but it's not really
suitable for upstream yaboot.


Note You need to log in before you can comment on or make changes to this bug.