Bug 412991 - selinux prevents depmod in /tmp during RPM install
selinux prevents depmod in /tmp during RPM install
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
8
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks: K12LTSP
  Show dependency treegraph
 
Reported: 2007-12-05 16:40 EST by Warren Togami
Modified: 2008-01-30 14:20 EST (History)
0 users

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-01-30 14:20:44 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Warren Togami 2007-12-05 16:40:21 EST
Newer upcoming versions of mkinitrd copy kernel modules into
/tmp/somewhere/lib/modules/VERSION/ then run depmod on that to create its own
lib/modules/VERSION/modules.* files.  Unfortunately, SELinux prevents depmod
from operating when this happens from RPM.  But a subsequent attempt from a root
shell succeeds.

[root@newcaprica tmp]# rpm -ivh kernel-2.6.24-0.73.rc4.git1.fc9.x86_64.rpm 
Preparing...                ########################################### [100%]
   1:kernel                 ########################################### [100%]
WARNING: Couldn't open directory
/tmp/initrd.pT5107/lib/modules/2.6.24-0.73.rc4.git1.fc9: Permission denied
FATAL: Could not open
/tmp/initrd.pT5107/lib/modules/2.6.24-0.73.rc4.git1.fc9/modules.dep.temp for
writing: Permission denied

type=AVC msg=audit(1196890268.201:30): avc:  denied  { search } for  pid=8659
comm="depmod" name="tmp" dev=dm-3 ino=2097153
scontext=system_u:system_r:depmod_t:s0-s0:c0.c1023
tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=SYSCALL msg=audit(1196890268.201:30): arch=c000003e syscall=2 success=no
exit=-13 a0=61d0a0 a1=90800 a2=0 a3=3b9c1529f0 items=0 ppid=4789 pid=8659
auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0
comm="depmod" exe="/sbin/depmod" subj=system_u:system_r:depmod_t:s0-s0:c0.c1023
key=(null)
type=AVC msg=audit(1196890268.201:31): avc:  denied  { search } for  pid=8659
comm="depmod" name="tmp" dev=dm-3 ino=2097153
scontext=system_u:system_r:depmod_t:s0-s0:c0.c1023
tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=SYSCALL msg=audit(1196890268.201:31): arch=c000003e syscall=2 success=no
exit=-13 a0=7fff40742450 a1=241 a2=1b6 a3=240 items=0 ppid=4789 pid=8659
auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0
comm="depmod" exe="/sbin/depmod" subj=system_u:system_r:depmod_t:s0-s0:c0.c1023
key=(null)

How can we allow this to succeed?
Comment 1 Daniel Walsh 2007-12-06 10:07:25 EST
Fixed in selinux-policy-3.0.8-66.fc8
Comment 2 Daniel Walsh 2008-01-30 14:20:44 EST
Bulk closing all bugs in Fedora updates in the modified state.  If you bug is
not fixed, please reopen.

Note You need to log in before you can comment on or make changes to this bug.