Red Hat Bugzilla – Bug 201414
ybin fails with "Failed to initialize HFS working directories: Permission denied"
Last modified: 2007-11-30 17:11:39 EST
With the 20060803.1 Test2 release candidate tree, ybin will fail with the following message: Failed to initialze HFS working directories: Permission denied ybin has the SELinux context of system_u:object_r:bootloader_exec_t. Changing the SELinux context to (e.g.) system_u:object_r:sbin_t allows ybin to work. This problem causes grubby to be unable to change the bootloader config, which keeps you from booting a new kernel.
ybin is a shell script. It fails when it tries to execute hmount (from hfsutils). The error message indicates that hmount fails in hcwd_init(). This function normally creates/opens "/root/.hcwd". I suspect SELinux is denying this and causing hmount to fail, which causes ybin to fail. Bug component may need to be changed to either hfsutils or policy - I will investigate further.
I should have mentioned - this is yaboot-1.3.13-0.18.1 Found a solution: hmount and friends read the environment variable HOME, so adding a line to ybin that says: export HOME=/boot allows everything to work correctly except updating the OF boot device in /dev/nvram. dwalsh has tweaked policy to allow bootloader_t to write to /dev/nvram, so all that remains is fixing ybin. I'll upload a patch shortly.
Created attachment 133968 [details] patch to ybin that makes it use /boot for state info instead of /root
One note: /boot is used because it's the only place bootloader_exec_t is naturally allowed to write. Any other directory will fail. If /boot is mounted read-only, this will fail. Still, this fix will work for 98% of cases, and the other 2% get a 'Read-only filesystem' error, which should be pretty clear. To get the other 2 percent, we would need a dedicated state dir for hfsutils (say /var/tmp/hfs) and another policy change.
Thanks for the patch, this works as a temporary solution but it's not really suitable for upstream yaboot.