Description of problem: hmount can not initialize .hcwd when run from /sbin/ybin with enforcing selinux Version-Release number of selected component (if applicable): hfsutils-3.2.6-7.2.1 selinux-policy-2.3.7-2.fc5 How reproducible: always Steps to Reproduce: 1. /usr/sbin/setenforce 1 2. /sbin/ybin -v --debug 3. Actual results: - gives an error ybin: Finding OpenFirmware device path to `/dev/hda2'... ybin: DEBUG: ofboot set to `/pci@f4000000/ata-6@d/disk@0:2' ybin: Finding OpenFirmware device path to `/dev/hda3'... ybin: DEBUG: macosx set to `/pci@f4000000/ata-6@d/disk@0:3' from `/dev/hda3' ybin: DEBUG: OS=5 ybin: DEBUG: /bin/sh /usr/lib/yaboot/ofboot 5 bootmacosx 5 0 yaboot GNU l /pci@f4000000/ata-6@d/disk@0:2 ,\\yaboot macosx MacOSX x /pci@f4000000/ata-6@d/disk@0:3 ,\\:tbxi cd CDROM c cd: ,\\:tbxi net Network n enet: 0 of OpenFirmware o quit now ybin: DEBUG: set magicboot to /tmp/ofboot.a10338 Failed to initialize HFS working directories: Permission denied ybin: /dev/hda2 appears to have never had a bootstrap installed, please run mkofboot Expected results: - success [root@localhost eugene]# /sbin/ybin -v --debug ybin: Finding OpenFirmware device path to `/dev/hda2'... ybin: DEBUG: ofboot set to `/pci@f4000000/ata-6@d/disk@0:2' ybin: Finding OpenFirmware device path to `/dev/hda3'... ybin: DEBUG: macosx set to `/pci@f4000000/ata-6@d/disk@0:3' from `/dev/hda3' ybin: DEBUG: OS=5 ybin: DEBUG: /bin/sh /usr/lib/yaboot/ofboot 5 bootmacosx 5 0 yaboot GNU l /pci@f4000000/ata-6@d/disk@0:2 ,\\yaboot macosx MacOSX x /pci@f4000000/ata-6@d/disk@0:3 ,\\:tbxi cd CDROM c cd: ,\\:tbxi net Network n enet: 0 of OpenFirmware o quit now ybin: DEBUG: set magicboot to /tmp/ofboot.M11048 ybin: Installing first stage bootstrap /usr/lib/yaboot/ofboot onto /dev/hda2... ybin: Installing primary bootstrap /usr/lib/yaboot/yaboot onto /dev/hda2... ybin: Installing /etc/yaboot.conf onto /dev/hda2... ybin: Setting attributes on ofboot... ybin: Setting attributes on yaboot... ybin: Setting attributes on yaboot.conf... ybin: Blessing /dev/hda2 with Holy Penguin Pee... ybin: Updating OpenFirmware boot-device variable in nvram... ybin: DEBUG: boot-device=/pci@f4000000/ata-6@d/disk@0:2,\\:tbxi [root@localhost eugene]# Additional info: /var/log/audit/audit.log type=AVC msg=audit(1158431912.084:45): avc: denied { read write } for pid=10514 comm="hmount" name=".hcwd" dev=hda8 ino=911597 scontext=user_u:system_r:bootloader_t:s0 tcontext=user_u:object_r:user_home_dir_t:s0 tclass=file type=SYSCALL msg=audit(1158431912.084:45): arch=14 syscall=5 success=yes exit=3 a0=1002e008 a1=2 a2=1b6 a3=1b6 items=1 pid=10514 auid=5006 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="hmount" exe="/usr/bin/hmount" subj=user_u:system_r:bootloader_t:s0 type=CWD msg=audit(1158431912.084:45): cwd="/home/eugene" type=PATH msg=audit(1158431912.084:45): item=0 name="/root/.hcwd" inode=911597 dev=03:08 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=user_u:object_r:user_home_dir_t:s0 type=AVC msg=audit(1158431912.084:46): avc: denied { getattr } for pid=10514 comm="hmount" name=".hcwd" dev=hda8 ino=911597 scontext=user_u:system_r:bootloader_t:s0 tcontext=user_u:object_r:user_home_dir_t:s0 tclass=file type=SYSCALL msg=audit(1158431912.084:46): arch=14 syscall=197 success=yes exit=0 a0=3 a1=7fff8218 a2=7fff8218 a3=a items=0 pid=10514 auid=5006 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="hmount" exe="/usr/bin/hmount" subj=user_u:system_r:bootloader_t:s0 type=AVC_PATH msg=audit(1158431912.084:46): path="/root/.hcwd" type=MAC_STATUS msg=audit(1158431936.344:47): enforcing=1 old_enforcing=0 auid=5006 type=SYSCALL msg=audit(1158431936.344:47): arch=14 syscall=4 success=yes exit=1 a0=3 a1=7f8da5f8 a2=1 a3=0 items=0 pid=10528 auid=5006 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="setenforce" exe="/usr/sbin/setenforce" subj=user_u:system_r:unconfined_t:s0 [
yaboot-1.3.13-0.18
This should be resolved in FC-6 and later with the don't write in home patch.