Bug 206789 - hmount error prevents ybin to update boot files when selinux enforcing
hmount error prevents ybin to update boot files when selinux enforcing
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: yaboot (Show other bugs)
5
powerpc Linux
medium Severity high
: ---
: ---
Assigned To: David Woodhouse
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-09-16 14:44 EDT by Eugene Savelov
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-11-16 08:18:16 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Eugene Savelov 2006-09-16 14:44:02 EDT
Description of problem:
hmount can not initialize .hcwd when run from /sbin/ybin with enforcing selinux

Version-Release number of selected component (if applicable):
hfsutils-3.2.6-7.2.1
selinux-policy-2.3.7-2.fc5


How reproducible:
always

Steps to Reproduce:
1. /usr/sbin/setenforce 1
2. /sbin/ybin -v --debug
3.
  
Actual results: - gives an error
ybin: Finding OpenFirmware device path to `/dev/hda2'...
ybin: DEBUG: ofboot set to `/pci@f4000000/ata-6@d/disk@0:2'
ybin: Finding OpenFirmware device path to `/dev/hda3'...
ybin: DEBUG: macosx set to `/pci@f4000000/ata-6@d/disk@0:3' from `/dev/hda3'
ybin: DEBUG: OS=5
ybin: DEBUG: /bin/sh /usr/lib/yaboot/ofboot 5 bootmacosx 5  0 yaboot GNU l
/pci@f4000000/ata-6@d/disk@0:2 ,\\yaboot   macosx MacOSX x
/pci@f4000000/ata-6@d/disk@0:3 ,\\:tbxi  cd CDROM c cd: ,\\:tbxi net Network n
enet: 0 of OpenFirmware o quit now
ybin: DEBUG: set magicboot to /tmp/ofboot.a10338
Failed to initialize HFS working directories: Permission denied
ybin: /dev/hda2 appears to have never had a bootstrap installed, please run mkofboot


Expected results: - success
[root@localhost eugene]#  /sbin/ybin -v --debug
ybin: Finding OpenFirmware device path to `/dev/hda2'...
ybin: DEBUG: ofboot set to `/pci@f4000000/ata-6@d/disk@0:2'
ybin: Finding OpenFirmware device path to `/dev/hda3'...
ybin: DEBUG: macosx set to `/pci@f4000000/ata-6@d/disk@0:3' from `/dev/hda3'
ybin: DEBUG: OS=5
ybin: DEBUG: /bin/sh /usr/lib/yaboot/ofboot 5 bootmacosx 5  0 yaboot GNU l
/pci@f4000000/ata-6@d/disk@0:2 ,\\yaboot   macosx MacOSX x
/pci@f4000000/ata-6@d/disk@0:3 ,\\:tbxi  cd CDROM c cd: ,\\:tbxi net Network n
enet: 0 of OpenFirmware o quit now
ybin: DEBUG: set magicboot to /tmp/ofboot.M11048
ybin: Installing first stage bootstrap /usr/lib/yaboot/ofboot onto /dev/hda2...
ybin: Installing primary bootstrap /usr/lib/yaboot/yaboot onto /dev/hda2...
ybin: Installing /etc/yaboot.conf onto /dev/hda2...
ybin: Setting attributes on ofboot...
ybin: Setting attributes on yaboot...
ybin: Setting attributes on yaboot.conf...
ybin: Blessing /dev/hda2 with Holy Penguin Pee...
ybin: Updating OpenFirmware boot-device variable in nvram...
ybin: DEBUG: boot-device=/pci@f4000000/ata-6@d/disk@0:2,\\:tbxi
[root@localhost eugene]#

Additional info:
/var/log/audit/audit.log 
type=AVC msg=audit(1158431912.084:45): avc:  denied  { read write } for 
pid=10514 comm="hmount" name=".hcwd" dev=hda8 ino=911597
scontext=user_u:system_r:bootloader_t:s0
tcontext=user_u:object_r:user_home_dir_t:s0 tclass=file
type=SYSCALL msg=audit(1158431912.084:45): arch=14 syscall=5 success=yes exit=3
a0=1002e008 a1=2 a2=1b6 a3=1b6 items=1 pid=10514 auid=5006 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="hmount"
exe="/usr/bin/hmount" subj=user_u:system_r:bootloader_t:s0
type=CWD msg=audit(1158431912.084:45):  cwd="/home/eugene"
type=PATH msg=audit(1158431912.084:45): item=0 name="/root/.hcwd" inode=911597
dev=03:08 mode=0100644 ouid=0 ogid=0 rdev=00:00
obj=user_u:object_r:user_home_dir_t:s0
type=AVC msg=audit(1158431912.084:46): avc:  denied  { getattr } for  pid=10514
comm="hmount" name=".hcwd" dev=hda8 ino=911597
scontext=user_u:system_r:bootloader_t:s0
tcontext=user_u:object_r:user_home_dir_t:s0 tclass=file
type=SYSCALL msg=audit(1158431912.084:46): arch=14 syscall=197 success=yes
exit=0 a0=3 a1=7fff8218 a2=7fff8218 a3=a items=0 pid=10514 auid=5006 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="hmount"
exe="/usr/bin/hmount" subj=user_u:system_r:bootloader_t:s0
type=AVC_PATH msg=audit(1158431912.084:46):  path="/root/.hcwd"
type=MAC_STATUS msg=audit(1158431936.344:47): enforcing=1 old_enforcing=0 auid=5006
type=SYSCALL msg=audit(1158431936.344:47): arch=14 syscall=4 success=yes exit=1
a0=3 a1=7f8da5f8 a2=1 a3=0 items=0 pid=10528 auid=5006 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="setenforce"
exe="/usr/sbin/setenforce" subj=user_u:system_r:unconfined_t:s0
[
Comment 1 Eugene Savelov 2006-09-17 05:27:36 EDT
yaboot-1.3.13-0.18
Comment 2 Paul Nasrat 2006-11-16 08:18:16 EST
This should be resolved in FC-6 and later with the don't write in home patch.

Note You need to log in before you can comment on or make changes to this bug.